{"object_kind":"push","event_name":"push","before":"b5b0dcc90f95b6e0425952f3cec9945db6883776","after":"9618527fed94ff3cfa70cd3695d4ec72f93baa50","ref":"refs/heads/main","ref_protected":false,"checkout_sha":"9618527fed94ff3cfa70cd3695d4ec72f93baa50","message":null,"user_id":1255007,"user_name":"Josephine Pfeiffer","user_username":"josie","user_email":"josie@redhat.com","user_avatar":"https://gitlab.freedesktop.org/uploads/-/system/user/avatar/1255007/avatar.png","project_id":411,"project":{"id":411,"name":"NetworkManager","description":"NetworkManager — network management daemon","web_url":"https://gitlab.freedesktop.org/NetworkManager/NetworkManager","avatar_url":"https://gitlab.freedesktop.org/uploads/-/system/project/avatar/411/nm_logo.png","git_ssh_url":"git@ssh.gitlab.freedesktop.org:NetworkManager/NetworkManager.git","git_http_url":"https://gitlab.freedesktop.org/NetworkManager/NetworkManager.git","namespace":"NetworkManager","visibility_level":20,"path_with_namespace":"NetworkManager/NetworkManager","default_branch":"main","ci_config_path":"","homepage":"https://gitlab.freedesktop.org/NetworkManager/NetworkManager","url":"git@ssh.gitlab.freedesktop.org:NetworkManager/NetworkManager.git","ssh_url":"git@ssh.gitlab.freedesktop.org:NetworkManager/NetworkManager.git","http_url":"https://gitlab.freedesktop.org/NetworkManager/NetworkManager.git"},"commits":[{"id":"1a3e6dbaa1044eaf69229cdd63929f9ce5d88c97","message":"n-dhcp4: discard UDP packets with length shorter than the UDP header\n\npacket_recvfrom_udp() computes the payload length as\nntohs(udp_hdr.len) - sizeof(struct udphdr). A udp.len field smaller than\nthe 8-byte UDP header makes this subtraction underflow: pktlen (ssize_t)\nbecomes negative and is then passed as the size_t size argument to\npacket_internet_checksum_udp(), which reads far out of bounds and crashes.\nThe existing checks reject a udp.len that is too large, but not one that is\ntoo small.\n\nAn on-link attacker can crash NetworkManager by sending a UDP packet with\nudp.len < 8 during a DHCP exchange. Reject such packets early.\n\n[josie@redhat.com: reword the comment and match sizeof to the guarded\nsubtraction]\n","title":"n-dhcp4: discard UDP packets with length shorter than the UDP header","timestamp":"2026-06-08T12:18:58+02:00","url":"https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/commit/1a3e6dbaa1044eaf69229cdd63929f9ce5d88c97","author":{"name":"Günther Noack","email":"gnoack3000@gmail.com"},"added":[],"modified":["src/n-dhcp4/src/util/packet.c"],"removed":[]},{"id":"699b1329ad1761bd0294a94686ae2a8072ab1e4a","message":"n-dhcp4: add regression test for short UDP packet length\n\nExercise packet_recvfrom_udp() with UDP packets whose udp.len is shorter\nthan the UDP header. Each value in the underflowing range (0, 1, 7) must be\ndiscarded whether or not the packet carries a UDP checksum, while the\nzero-payload udp.len == sizeof(struct udphdr) boundary and a header plus\npayload packet must be accepted. Acceptance is checked through the source\naddress, which packet_recvfrom_udp() fills only when it keeps the packet.\n\nBased on a regression test by Günther Noack <gnoack3000@gmail.com>.\n","title":"n-dhcp4: add regression test for short UDP packet length","timestamp":"2026-06-08T12:37:59+02:00","url":"https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/commit/699b1329ad1761bd0294a94686ae2a8072ab1e4a","author":{"name":"Josephine Pfeiffer","email":"josie@redhat.com"},"added":[],"modified":["src/n-dhcp4/src/util/test-packet.c"],"removed":[]},{"id":"ae943d7f7d35bc3d129a2c40fddc0905fc417f6b","message":"NEWS: mention the DHCPv4 client out-of-bounds read fix\n","title":"NEWS: mention the DHCPv4 client out-of-bounds read fix","timestamp":"2026-06-08T13:17:41+02:00","url":"https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/commit/ae943d7f7d35bc3d129a2c40fddc0905fc417f6b","author":{"name":"Josephine Pfeiffer","email":"josie@redhat.com"},"added":[],"modified":["NEWS"],"removed":[]},{"id":"9618527fed94ff3cfa70cd3695d4ec72f93baa50","message":"merge: branch 'jp/n-dhcp4-udp-oob-read'\n\nn-dhcp4: discard UDP packets with length shorter than the UDP header\n\nhttps://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/2425\n","title":"merge: branch 'jp/n-dhcp4-udp-oob-read'","timestamp":"2026-06-09T12:10:16+02:00","url":"https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/commit/9618527fed94ff3cfa70cd3695d4ec72f93baa50","author":{"name":"Josephine Pfeiffer","email":"josie@redhat.com"},"added":[],"modified":["NEWS","src/n-dhcp4/src/util/packet.c","src/n-dhcp4/src/util/test-packet.c"],"removed":[]}],"total_commits_count":4,"push_options":{},"repository":{"name":"NetworkManager","url":"git@ssh.gitlab.freedesktop.org:NetworkManager/NetworkManager.git","description":"NetworkManager — network management daemon","homepage":"https://gitlab.freedesktop.org/NetworkManager/NetworkManager","git_http_url":"https://gitlab.freedesktop.org/NetworkManager/NetworkManager.git","git_ssh_url":"git@ssh.gitlab.freedesktop.org:NetworkManager/NetworkManager.git","visibility_level":20}}