17.07.2017 17:48, Samuel Thibault wrote:
> P J P, on lun. 17 juil. 2017 17:33:26 +0530, wrote:
>> From: Prasad J Pandit
>>
>> While parsing dhcp options string in 'dhcp_decode', if an options'
>> length 'len' appeared towards the end of 'bp_vend' array, ensuing
>> read could lead to an OOB memory
+if (p + len > p_end) {
Shouldn't this be (p + len >= p_end) ?
On Mon, Jul 17, 2017 at 8:18 PM, Samuel Thibault
wrote:
> P J P, on lun. 17 juil. 2017 17:33:26 +0530, wrote:
>> From: Prasad J Pandit
>>
>> While parsing dhcp options string in 'dhcp_decode', if an options'
>> length 'l
Reno Robert, on lun. 17 juil. 2017 23:10:02 +0530, wrote:
> +if (p + len > p_end) {
>
> Shouldn't this be (p + len >= p_end) ?
No: if p_end-p is 1, len being 1 is fine.
Samuel
P J P, on lun. 17 juil. 2017 17:33:26 +0530, wrote:
> From: Prasad J Pandit
>
> While parsing dhcp options string in 'dhcp_decode', if an options'
> length 'len' appeared towards the end of 'bp_vend' array, ensuing
> read could lead to an OOB memory access issue. Add check to avoid it.
>
> Repor
From: Prasad J Pandit
While parsing dhcp options string in 'dhcp_decode', if an options'
length 'len' appeared towards the end of 'bp_vend' array, ensuing
read could lead to an OOB memory access issue. Add check to avoid it.
Reported-by: Reno Robert
Signed-off-by: Prasad J Pandit
---
slirp/bo
