If we fail to store information from the new server, the associated
NA and PD options will never be freed. An attacker could use this
for denial-of-service.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
}
}
+// Note this always takes ownership of cand->ia_na and cand->ia_pd
static void dhcpv6_add_server_cand(const struct dhcpv6_server_cand *cand)
{
size_t cand_len, i;
break;
}
- odhcp6c_insert_state(STATE_SERVER_CAND, i * sizeof(*c), cand, sizeof(*cand));
+ if (odhcp6c_insert_state(STATE_SERVER_CAND, i * sizeof(*c), cand, sizeof(*cand))) {
+ free(cand->ia_na);
+ free(cand->ia_pd);
+ }
}
static void dhcpv6_clear_all_server_cand(void)