An out-of-bounds read flaw was found in the way FreeRADIUS server handles decoding of DHCP packets. A remote attacker could use this flaw to crash the FreeRADIUS server by sending a specially crafted DHCP request.
The fr_dhcp_decode_options() function does not do proper bounds checks on option lengths, leading to out-of-bounds read.
The server can read up to 253 octets more data than it should. Depending on memory layout, this read may initiate a page fault, and cause the server to crash.
The security impact is denial of service by any network device capable of sending DHCP packets to FreeRADIUS, which sends packets with malformed options.
Affected versions: 2.0.0 through 2.2.9, inclusive.
Name: the FreeRADIUS project
Upstream: Guido Vranken
Created attachment 1295277 [details]
Created freeradius tracking bugs for this issue:
Affects: fedora-all [bug 1471858]
This issue has been addressed in the following products:
Red Hat Enterprise Linux 6
Via RHSA-2017:1759 https://access.redhat.com/errata/RHSA-2017:1759