Skip to content

Commit

Permalink
[dhcp_relay] Check payload size to prevent buffer overflow in dhcpv6 …
Browse files Browse the repository at this point in the history
…option (sonic-net#9740)
  • Loading branch information
kellyyeh authored and pull[bot] committed Oct 5, 2024
1 parent a8ffc4f commit 56b0f18
Showing 1 changed file with 5 additions and 2 deletions.
7 changes: 5 additions & 2 deletions src/dhcp6relay/src/relay.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -493,14 +493,17 @@ void relay_client(int sock, const uint8_t *msg, int32_t len, const ip6_hdr *ip_h
auto position = current_position + sizeof(struct dhcpv6_option);
auto dhcpv6msg = parse_dhcpv6_hdr(position);

while ((current_position - msg) != len) {
while ((current_position - msg) < len) {
auto option = parse_dhcpv6_opt(current_position, &tmp);
current_position = tmp;
if (current_position - msg > len || ntohs(option->option_length) > sizeof(buffer) - (current_buffer_position - buffer)) {
break;
}
switch (ntohs(option->option_code)) {
case OPTION_RELAY_MSG:
memcpy(current_buffer_position, ((uint8_t *)option) + sizeof(struct dhcpv6_option), ntohs(option->option_length));
current_buffer_position += ntohs(option->option_length);
type = dhcpv6msg->msg_type;;
type = dhcpv6msg->msg_type;
break;
default:
break;
Expand Down

0 comments on commit 56b0f18

Please sign in to comment.