[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH] slirp: check len against dhcp options array end
From: |
Reno Robert |
Subject: |
Re: [Qemu-devel] [PATCH] slirp: check len against dhcp options array end |
Date: |
Mon, 17 Jul 2017 23:10:02 +0530 |
+ if (p + len > p_end) {
Shouldn't this be (p + len >= p_end) ?
On Mon, Jul 17, 2017 at 8:18 PM, Samuel Thibault
<address@hidden> wrote:
> P J P, on lun. 17 juil. 2017 17:33:26 +0530, wrote:
>> From: Prasad J Pandit <address@hidden>
>>
>> While parsing dhcp options string in 'dhcp_decode', if an options'
>> length 'len' appeared towards the end of 'bp_vend' array, ensuing
>> read could lead to an OOB memory access issue. Add check to avoid it.
>>
>> Reported-by: Reno Robert <address@hidden>
>> Signed-off-by: Prasad J Pandit <address@hidden>
>
> Oops, sure, applied to my tree, thanks!
>
> Samuel
--
Regards,
Reno Robert
http://v0ids3curity.blogspot.in/