From fd9549c0fb0e1916ca553a1abbeebd48f608955d Mon Sep 17 00:00:00 2001 From: =?utf8?q?David=20H=C3=A4rdeman?= Date: Sun, 11 Feb 2024 18:29:15 +0100 Subject: [PATCH] Fix potential integer overflow in parsednssl() MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit optlen is a uint8_t because the length field in the RA header is one octet (representing the length in units of 8 octets). Later optlen is multiplied by 8 to represent the length in bytes, meaning that the variable can overflow. Signed-off-by: David Härdeman Signed-off-by: Rémi Denis-Courmont --- src/ndisc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ndisc.c b/src/ndisc.c index 1640794..b190b18 100644 --- a/src/ndisc.c +++ b/src/ndisc.c @@ -451,7 +451,7 @@ static int parsednssl (const uint8_t *opt) { const uint8_t *base; - uint8_t optlen = opt[1]; + uint16_t optlen = opt[1]; if (optlen < 2) return -1; -- 2.39.5