When decoding "string" options in an array, dhcp_attr2vp() could be convinced to call memchr() with a length argument of -1. This could result in an over-read until the first zero octet was found, or a page fault occured. The security impact is denial of service by any network device capable of sending DHCP packets to FreeRADIUS, which sends string options to the server in an option array. Affected versions: 3.0.0 through 3.0.14, inclusive.
Acknowledgments: Name: the FreeRADIUS project Upstream: Guido Vranken
Created attachment 1295268 [details] Proposed patch
Created freeradius tracking bugs for this issue: Affects: fedora-all [bug 1471864]
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:2389 https://access.redhat.com/errata/RHSA-2017:2389
External References: http://freeradius.org/security/fuzzer-2017.html