The fr_dhcp_decode() function performed a strcmp() on binary data in an internal data structure, instead of checking the length of the option and doing a memcmp. The server can read memory until it reaches a zero byte. Depending on memory layout, this read may initiate a page fault, and cause the server to crash. The security impact is denial of service by any network device capable of sending DHCP packets to FreeRADIUS, which sends a DHCP option 63 with non-zero contents. Affected versions: 2.0.0 through 3.0.14, inclusive.
Acknowledgments: Name: the FreeRADIUS project Upstream: Guido Vranken
Created attachment 1295275 [details] Proposed patch 1/2
Created attachment 1295276 [details] Proposed patch 2/2
Created freeradius tracking bugs for this issue: Affects: fedora-all [bug 1471860]
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2017:1759 https://access.redhat.com/errata/RHSA-2017:1759
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:2389 https://access.redhat.com/errata/RHSA-2017:2389
External References: http://freeradius.org/security/fuzzer-2017.html