summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRoy Marples <roy@marples.name>2019-04-19 21:00:19 +0100
committerRoy Marples <roy@marples.name>2019-04-19 21:00:19 +0100
commit4b67f6f1038fd4ad5ca7734eaaeba1b2ec4816b8 (patch)
tree74e814a7d451c36de3d807d94741f08c195a4cb0
parent8d11b33f6c60e2db257130fa383ba76b6018bcf6 (diff)
DHCP: Fix a potential 1 byte read overflow with DHO_OPTSOVERLOADED
This fix basically moves the option length check up and also corrects an off by one error with it. Thanks to Maxime Villard <max@m00nbsd.net>
-rw-r--r--src/dhcp.c10
1 files changed, 6 insertions, 4 deletions
diff --git a/src/dhcp.c b/src/dhcp.c
index f7cdefc9..e13d1b4b 100644
--- a/src/dhcp.c
+++ b/src/dhcp.c
@@ -215,6 +215,12 @@ get_option(struct dhcpcd_ctx *ctx,
}
l = *p++;
+ /* Check we can read the option data, if present */
+ if (p + l > e) {
+ errno = EINVAL;
+ return NULL;
+ }
+
if (o == DHO_OPTSOVERLOADED) {
/* Ensure we only get this option once by setting
* the last bit as well as the value.
@@ -249,10 +255,6 @@ get_option(struct dhcpcd_ctx *ctx,
bp += ol;
}
ol = l;
- if (p + ol >= e) {
- errno = EINVAL;
- return NULL;
- }
op = p;
bl += ol;
}