Author: markj
Date: Wed Jun 26 20:19:48 2019
New Revision: 349439
URL: https://svnweb.freebsd.org/changeset/base/349439
Log:
Free DHCP options with length zero.
Otherwise they are leaked, allowing an attacker to trigger memory
exhaustion.
This is options.c rev. 1.70 from OpenBSD.
admbugs: 552
Obtained from: OpenBSD
MFC after: 3 days
Modified:
head/sbin/dhclient/options.c
Modified: head/sbin/dhclient/options.c
==============================================================================
--- head/sbin/dhclient/options.c Wed Jun 26 20:11:52 2019
(r349438)
+++ head/sbin/dhclient/options.c Wed Jun 26 20:19:48 2019
(r349439)
@@ -896,6 +896,5 @@ do_packet(struct interface_info *interface, struct dhc
/* Free the data associated with the options. */
for (i = 0; i < 256; i++)
- if (tp.options[i].len && tp.options[i].data)
- free(tp.options[i].data);
+ free(tp.options[i].data);
}
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
