changeset 4459:293fe50331c8 draft

DHCP: Fix a potential 1 byte read overflow with DHO_OPTSOVERLOADED This fix basically moves the option length check up and also corrects an off by one error with it. Thanks to Maxime Villard <max@m00nbsd.net>
author Roy Marples <roy@marples.name>
date Fri, 19 Apr 2019 21:00:19 +0100
parents 0e6212a4aa03
children 130cd805b577
files src/dhcp.c
diffstat 1 files changed, 6 insertions(+), 4 deletions(-) [+]
line wrap: on
line diff
--- a/src/dhcp.c	Fri Apr 19 09:45:02 2019 +0100
+++ b/src/dhcp.c	Fri Apr 19 21:00:19 2019 +0100
@@ -215,6 +215,12 @@
 		}
 		l = *p++;
 
+		/* Check we can read the option data, if present */
+		if (p + l > e) {
+			errno = EINVAL;
+			return NULL;
+		}
+
 		if (o == DHO_OPTSOVERLOADED) {
 			/* Ensure we only get this option once by setting
 			 * the last bit as well as the value.
@@ -249,10 +255,6 @@
 				bp += ol;
 			}
 			ol = l;
-			if (p + ol >= e) {
-				errno = EINVAL;
-				return NULL;
-			}
 			op = p;
 			bl += ol;
 		}