DHCP: Fix a potential 1 byte read overflow with DHO_OPTSOVERLOADED

This fix basically moves the option length check up and also corrects off by one error with it. Thanks to Maxime Villard <max@m00nbsd.net>
author: Roy Marples <roy@marples.name> 2019-04-24 12:35:34 +0100
committer: Roy Marples <roy@marples.name> 2019-04-24 12:35:34 +0100
commit: 6adf6108ddb8d3e898aa715edfbaab0a900b4f8d (patch)
tree: 91262fd43934e68f21dc47908e0ae96f14b955c2
parent: c071bfc46fb57fd91b5731272c7bd8be052cc0f0 (diff)
download: dhcpcd-6adf6108ddb8d3e898aa715edfbaab0a900b4f8d.tar.xz
1 files changed, 6 insertions, 4 deletions
diff --git a/dhcp.c b/dhcp.c
index 19f94976..1661bf48 100644
--- a/dhcp.c
+++ b/dhcp.c
@@ -201,6 +201,12 @@ get_option(struct dhcpcd_ctx *ctx,
 		}
 		l = *p++;
 
+		/* Check we can read the option data, if present */
+		if (p + l > e) {
+			errno = EINVAL;
+			return NULL;
+		}
+
 		if (o == DHO_OPTSOVERLOADED) {
 			/* Ensure we only get this option once by setting
 			 * the last bit as well as the value.
@@ -235,10 +241,6 @@ get_option(struct dhcpcd_ctx *ctx,
 				bp += ol;
 			}
 			ol = l;
-			if (p + ol >= e) {
-				errno = EINVAL;
-				return NULL;
-			}
 			op = p;
 			bl += ol;
 		}
author	Roy Marples <roy@marples.name>	2019-04-24 12:35:34 +0100
committer	Roy Marples <roy@marples.name>	2019-04-24 12:35:34 +0100
commit	6adf6108ddb8d3e898aa715edfbaab0a900b4f8d (patch)
tree	91262fd43934e68f21dc47908e0ae96f14b955c2
parent	c071bfc46fb57fd91b5731272c7bd8be052cc0f0 (diff)
download	dhcpcd-6adf6108ddb8d3e898aa715edfbaab0a900b4f8d.tar.xz