Free DHCP options with length zero.
Otherwise they are leaked, allowing an attacker to trigger memory exhaustion. This is options.c rev. 1.70 from OpenBSD. admbugs: 552 Obtained from: OpenBSD MFC after: 3 days
This commit is contained in:
parent
a3ae40c7a4
commit
5baf985da7
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=349439
@ -896,6 +896,5 @@ do_packet(struct interface_info *interface, struct dhcp_packet *packet,
|
|||||||
|
|
||||||
/* Free the data associated with the options. */
|
/* Free the data associated with the options. */
|
||||||
for (i = 0; i < 256; i++)
|
for (i = 0; i < 256; i++)
|
||||||
if (tp.options[i].len && tp.options[i].data)
|
|
||||||
free(tp.options[i].data);
|
free(tp.options[i].data);
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user