The fr_dhcp_decode_suboptions() function does not properly check if sub-options overflow the packet. The server can read up to a small number of octets more data than it should. Depending on memory layout, this read may initiate a page fault, and cause the server to crash. The security impact is denial of service by any network device capable of sending DHCP packets to FreeRADIUS, which sends packets with malformed options. Affected versions: 3.0.0 through 3.0.14, inclusive.
Acknowledgments: Name: the FreeRADIUS project Upstream: Guido Vranken
Created attachment 1295267 [details] Proposed patch
Created freeradius tracking bugs for this issue: Affects: fedora-all [bug 1471865]
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:2389 https://access.redhat.com/errata/RHSA-2017:2389
External References: http://freeradius.org/security/fuzzer-2017.html