CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2026/05/03 09:49:09
Modified files:
sbin/dhcp6leased: engine.c
Log message:
Prevent unsigned underflow leading to a crash.
An IA_PD option contains one or more nested dhcp options.
We first need to make sure that the length field of the option header
does not point outside of the encapsulating option, which we did.
When we then parse the nested options we need to make sure that nested
option header length field is large enough for the nested option, not
that the encapsulating option length is large enough for the
encapsulated option.
Otherwise opt_hdr.len - 2 can underflow, which strvisx(3) interprets
as a size_t, i.e. a very large number, leading to a crash once we hit
a guard.
Underflow pointed out by an AI tool (sorry, don't know which one) in a
somewhat convoluted way. It also provided an reproducer for the issue
which was more helpful.
AI reports triaged by millert.
While here fix the same bug in the DHO_IA_PREFIX case and prevent a
memory leak.
OK tb
