diff options
Diffstat (limited to 'meta/recipes-core/systemd/systemd/0001-dhcp6-make-sure-we-have-enough-space-for-the-DHCP6-o.patch')
-rw-r--r-- | meta/recipes-core/systemd/systemd/0001-dhcp6-make-sure-we-have-enough-space-for-the-DHCP6-o.patch | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/meta/recipes-core/systemd/systemd/0001-dhcp6-make-sure-we-have-enough-space-for-the-DHCP6-o.patch b/meta/recipes-core/systemd/systemd/0001-dhcp6-make-sure-we-have-enough-space-for-the-DHCP6-o.patch new file mode 100644 index 0000000000..0c912f25df --- /dev/null +++ b/meta/recipes-core/systemd/systemd/0001-dhcp6-make-sure-we-have-enough-space-for-the-DHCP6-o.patch | |||
@@ -0,0 +1,39 @@ | |||
1 | From a2622b8398ba026faf481f5eddeb53231d9de4a7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Lennart Poettering <lennart@poettering.net> | ||
3 | Date: Fri, 19 Oct 2018 12:12:33 +0200 | ||
4 | Subject: [PATCH] dhcp6: make sure we have enough space for the DHCP6 option | ||
5 | header | ||
6 | |||
7 | Fixes a vulnerability originally discovered by Felix Wilhelm from | ||
8 | Google. | ||
9 | |||
10 | CVE-2018-15688 | ||
11 | LP: #1795921 | ||
12 | https://bugzilla.redhat.com/show_bug.cgi?id=1639067 | ||
13 | |||
14 | (cherry picked from commit 4dac5eaba4e419b29c97da38a8b1f82336c2c892) | ||
15 | |||
16 | CVE: CVE-2018-15688 | ||
17 | Upstream-Status: Backport | ||
18 | |||
19 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
20 | --- | ||
21 | src/libsystemd-network/dhcp6-option.c | 2 +- | ||
22 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
23 | |||
24 | diff --git a/src/libsystemd-network/dhcp6-option.c b/src/libsystemd-network/dhcp6-option.c | ||
25 | index c4b402b..dcbaad0 100644 | ||
26 | --- a/src/libsystemd-network/dhcp6-option.c | ||
27 | +++ b/src/libsystemd-network/dhcp6-option.c | ||
28 | @@ -103,7 +103,7 @@ int dhcp6_option_append_ia(uint8_t **buf, size_t *buflen, DHCP6IA *ia) { | ||
29 | return -EINVAL; | ||
30 | } | ||
31 | |||
32 | - if (*buflen < len) | ||
33 | + if (*buflen < offsetof(DHCP6Option, data) + len) | ||
34 | return -ENOBUFS; | ||
35 | |||
36 | ia_hdr = *buf; | ||
37 | -- | ||
38 | 2.7.4 | ||
39 | |||