Author: markj
Date: Wed Jun 26 20:19:48 2019
New Revision: 349439
URL: https://svnweb.freebsd.org/changeset/base/349439

Log:
  Free DHCP options with length zero.
  
  Otherwise they are leaked, allowing an attacker to trigger memory
  exhaustion.
  
  This is options.c rev. 1.70 from OpenBSD.
  
  admbugs:      552
  Obtained from:        OpenBSD
  MFC after:    3 days

Modified:
  head/sbin/dhclient/options.c

Modified: head/sbin/dhclient/options.c
==============================================================================
--- head/sbin/dhclient/options.c        Wed Jun 26 20:11:52 2019        
(r349438)
+++ head/sbin/dhclient/options.c        Wed Jun 26 20:19:48 2019        
(r349439)
@@ -896,6 +896,5 @@ do_packet(struct interface_info *interface, struct dhc
 
        /* Free the data associated with the options. */
        for (i = 0; i < 256; i++)
-               if (tp.options[i].len && tp.options[i].data)
-                       free(tp.options[i].data);
+               free(tp.options[i].data);
 }
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"

Reply via email to