diff options
| author | Francois Berder <[email protected]> | 2026-05-11 21:55:31 +0200 |
|---|---|---|
| committer | Jerome Forissier <[email protected]> | 2026-06-03 17:22:24 +0200 |
| commit | 4ba29d709419a567832276f80592d28f42e965b2 (patch) | |
| tree | 0d3de2f5cda76b2e3ddf16209271c3f072684b79 | |
| parent | a38bf2121a398538730cd42a0cf3db8f80119c62 (diff) | |
net: dhcpv6: Prevent buffer overflow during BOOTFILE_URL parsing
The net_boot_file_name is a 1024 byte buffer.
However, based on DHCPv6 RFC, bootfile-url length is
specified by option_len, a 16-bit unsigned integer
(valid range: 0-65535).
Hence, one needs to make sure that option_len is less
than the size of net_boot_file_name array before copying
bootfile-url to net_boot_file_name.
Signed-off-by: Francois Berder <[email protected]>
Reviewed-by: Jerome Forissier <[email protected]>
| -rw-r--r-- | net/dhcpv6.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/net/dhcpv6.c b/net/dhcpv6.c index 5bf935cb6a3..51f44979f8e 100644 --- a/net/dhcpv6.c +++ b/net/dhcpv6.c @@ -377,6 +377,11 @@ static void dhcp6_parse_options(uchar *rx_pkt, unsigned int len) break; case DHCP6_OPTION_OPT_BOOTFILE_URL: debug("DHCP6_OPTION_OPT_BOOTFILE_URL FOUND\n"); + if (option_len >= sizeof(net_boot_file_name)) { + debug("Option length for BOOTFILE_URL is greater or equal than %zu. Skipping\n", + sizeof(net_boot_file_name)); + break; + } copy_filename(net_boot_file_name, option_ptr, option_len + 1); debug("net_boot_file_name: %s\n", net_boot_file_name); |