From 589e33d98a3574e987507684710dbc10fc5bcbf2 Mon Sep 17 00:00:00 2001 From: James Prestwood Date: Tue, 6 Aug 2019 16:08:49 -0400 Subject: dhcp-transport: fix out-of-bounds access If len was odd the iovec was getting accessed out of bounds. 'j' needed to be decremented after the for loop. In addition, the iov_len was not being used to access the last byte of iov_base. --- ell/dhcp-transport.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ell/dhcp-transport.c b/ell/dhcp-transport.c index b43dfbd..56db9dd 100644 --- a/ell/dhcp-transport.c +++ b/ell/dhcp-transport.c @@ -78,9 +78,11 @@ uint16_t _dhcp_checksumv(const struct iovec *iov, size_t iov_cnt) sum += check[i]; } + j--; + if (len & 0x01) { const uint8_t *odd = iov[j].iov_base; - sum += odd[len - 1]; + sum += odd[iov[j].iov_len - 1]; } while (sum >> 16) -- cgit 1.2-0.3.lf.el7