The fr_dhcp_decode_options() function does not do proper bounds checks on option lengths, leading to out-of-bounds read.
The server can read up to 253 octets more data than it should. Depending on memory layout, this read may initiate a page fault, and cause the server to crash.
The security impact is denial of service by any network device capable of sending DHCP packets to FreeRADIUS, which sends packets with malformed options.
Affected versions: 2.0.0 through 2.2.9, inclusive.
Name: the FreeRADIUS project
Upstream: Guido Vranken
Created attachment 1295277 [details]
Created freeradius tracking bugs for this issue:
Affects: fedora-all [bug 1471858]
This issue has been addressed in the following products:
Red Hat Enterprise Linux 6
Via RHSA-2017:1759 https://access.redhat.com/errata/RHSA-2017:1759