dhcpcd-discuss

On 12/05/2019 19:24, Chris Lamb wrote:
> > It is vulnerable because it looks at p[1].
> > At this point we've not checked option length OR if it's inside the buffer.
>
>
> Getcha, so something like:
>
>   			op = p + 1;
>   			bl += ol;
>   		}
> +		if (p + l > e) {

You don't have the variable l at this point.
Also, DHO_PAD and DHO_END are special in that they don't have any length 
attribute so you have to look for it after parsing those options.

> +			errno = EINVAL;
> +			return NULL;
> +		}
>   		switch (o) {
>   		case DHO_PAD:
>   			continue;
>
> … might be sufficient, or might we also need?
>
> -			if (!overl)
> +			if (l == 1 && !overl)
>   				overl = 0x80 | p[1];
>   			break;
>
> .. too?

You will need that too.

Roy