[PATCH] net: dhcpv6: Prevent buffer overflow during BOOTFILE_URL parsing

Mon May 11 21:55:31 CEST 2026

The net_boot_file_name is a 1024 byte buffer.
However, based on DHCPv6 RFC, bootfile-url length is
specified by option_len, a 16-bit unsigned integer
(valid range: 0-65535).
Hence, one needs to make sure that option_len is less
than the size of net_boot_file_name array before copying
bootfile-url to net_boot_file_name.

Signed-off-by: Francois Berder <fberder at outlook.fr>
---
 net/dhcpv6.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/net/dhcpv6.c b/net/dhcpv6.c
index 5bf935cb6a3..51f44979f8e 100644
--- a/net/dhcpv6.c
+++ b/net/dhcpv6.c
@@ -377,6 +377,11 @@ static void dhcp6_parse_options(uchar *rx_pkt, unsigned int len)
 			break;
 		case DHCP6_OPTION_OPT_BOOTFILE_URL:
 			debug("DHCP6_OPTION_OPT_BOOTFILE_URL FOUND\n");
+			if (option_len >= sizeof(net_boot_file_name)) {
+				debug("Option length for BOOTFILE_URL is greater or equal than %zu. Skipping\n",
+				      sizeof(net_boot_file_name));
+				break;
+			}
 			copy_filename(net_boot_file_name, option_ptr, option_len + 1);
 			debug("net_boot_file_name: %s\n", net_boot_file_name);
 
-- 
2.43.0

