Author: markj Date: Wed Jun 26 20:19:48 2019 New Revision: 349439 URL: https://svnweb.freebsd.org/changeset/base/349439
Log: Free DHCP options with length zero. Otherwise they are leaked, allowing an attacker to trigger memory exhaustion. This is options.c rev. 1.70 from OpenBSD. admbugs: 552 Obtained from: OpenBSD MFC after: 3 days Modified: head/sbin/dhclient/options.c Modified: head/sbin/dhclient/options.c ============================================================================== --- head/sbin/dhclient/options.c Wed Jun 26 20:11:52 2019 (r349438) +++ head/sbin/dhclient/options.c Wed Jun 26 20:19:48 2019 (r349439) @@ -896,6 +896,5 @@ do_packet(struct interface_info *interface, struct dhc /* Free the data associated with the options. */ for (i = 0; i < 256; i++) - if (tp.options[i].len && tp.options[i].data) - free(tp.options[i].data); + free(tp.options[i].data); } _______________________________________________ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"