1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
|
From fd9549c0fb0e1916ca553a1abbeebd48f608955d Mon Sep 17 00:00:00 2001
From: =?utf8?q?David=20H=C3=A4rdeman?= <david@hardeman.nu>
Date: Sun, 11 Feb 2024 18:29:15 +0100
Subject: [PATCH] Fix potential integer overflow in parsednssl()
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit
optlen is a uint8_t because the length field in the RA header is one octet
(representing the length in units of 8 octets). Later optlen is multiplied by 8
to represent the length in bytes, meaning that the variable can overflow.
Signed-off-by: David Härdeman <david@hardeman.nu>
Signed-off-by: Rémi Denis-Courmont <remi@remlab.net>
---
src/ndisc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/ndisc.c b/src/ndisc.c
index 1640794..b190b18 100644
--- a/src/ndisc.c
+++ b/src/ndisc.c
@@ -451,7 +451,7 @@ static int
parsednssl (const uint8_t *opt)
{
const uint8_t *base;
- uint8_t optlen = opt[1];
+ uint16_t optlen = opt[1];
if (optlen < 2)
return -1;
--
2.39.5
|
