slirp: check len against dhcp options array end While parsing dhcp options string in 'dhcp_decode', if an options' length 'len' appeared towards the end of 'bp_vend' array, ensuing read could lead to an OOB memory access issue. Add check to avoid it. This is CVE-2017-11434. Reported-by: Reno Robert <renorobert@gmail.com> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>

commit: 27731580d379716f2a0b4ea7d27486dd9c29198a [log] [tgz]
author: Prasad J Pandit <pjp@fedoraproject.org> Mon Jul 17 17:33:26 2017 +0530
committer: Samuel Thibault <samuel.thibault@ens-lyon.org> Thu Aug 03 00:26:44 2017 +0200
tree: 54d4b78d60bf75b605b10a07dd108bac4514264e
parent: db0dd60b8c8de91ef3f6d66a2d0c2b62ab94c400 [diff]
diff --git a/bootp.c b/bootp.c
index baa6380..810da0c 100644
--- a/bootp.c
+++ b/bootp.c

@@ -129,6 +129,9 @@
             if (p >= p_end)
                 break;
             len = *p++;
+            if (p + len > p_end) {
+                break;
+            }
             DPRINTF("dhcp: tag=%d len=%d\n", tag, len);
 
             switch (tag) {
commit	27731580d379716f2a0b4ea7d27486dd9c29198a	[log] [tgz]
author	Prasad J Pandit <pjp@fedoraproject.org>	Mon Jul 17 17:33:26 2017 +0530
committer	Samuel Thibault <samuel.thibault@ens-lyon.org>	Thu Aug 03 00:26:44 2017 +0200
tree	54d4b78d60bf75b605b10a07dd108bac4514264e
parent	db0dd60b8c8de91ef3f6d66a2d0c2b62ab94c400 [diff]