net: dhcpv6: Prevent out-of-bounds reads while parsing options - u-boot.git - Unnamed repository; edit this file 'description' to name the repository.

diff options

author	Francois Berder <[email protected]>	2026-05-15 18:53:32 +0200
committer	Jerome Forissier <[email protected]>	2026-06-03 17:22:24 +0200
commit	2b612de8952d448ab6345c5af6e28fecea1a2f1e (patch)
tree	086e52d955a0d5897d8f811f97a866684fa09533 /scripts
parent	4ba29d709419a567832276f80592d28f42e965b2 (diff)

net: dhcpv6: Prevent out-of-bounds reads while parsing options

dhcp6_parse_options() verifies that an option's declared data fits within the packet, but does not check that option_len is large enough for the fixed-size read each case performs. A malicious DHCP server can send an ADVERTISE with a zero-length IA_NA, STATUS_CODE, SOL_MAX_RT, or BOOTFILE_PARAM option, causing the parser to read 2-4 bytes past the option's declared data. Check option_len value before each dereference of option_ptr. Signed-off-by: Francois Berder <[email protected]>

Diffstat (limited to 'scripts')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: