Mercurial > hg > dhcpcd

changeset 4478:2f4811ec407b draft

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
DHCP: Fix a potential 1 byte read overflow with DHO_OPTSOVERLOADED This fix basically moves the option length check up and also corrects off by one error with it. Thanks to Maxime Villard <max@m00nbsd.net>
author Roy Marples <roy@marples.name>
date Wed, 24 Apr 2019 12:35:34 +0100
parents d853285a06ce
children fbc041e8e8ee
files dhcp.c
diffstat 1 files changed, 6 insertions(+), 4 deletions(-) [+]
line wrap: on
line diff
--- a/dhcp.c	Mon Mar 27 16:45:49 2017 +0100
+++ b/dhcp.c	Wed Apr 24 12:35:34 2019 +0100
@@ -201,6 +201,12 @@
 		}
 		l = *p++;
 
+		/* Check we can read the option data, if present */
+		if (p + l > e) {
+			errno = EINVAL;
+			return NULL;
+		}
+
 		if (o == DHO_OPTSOVERLOADED) {
 			/* Ensure we only get this option once by setting
 			 * the last bit as well as the value.
@@ -235,10 +241,6 @@
 				bp += ol;
 			}
 			ol = l;
-			if (p + ol >= e) {
-				errno = EINVAL;
-				return NULL;
-			}
 			op = p;
 			bl += ol;
 		}