From 26c5d8724355b29694af684ee29b47e52129a33c Mon Sep 17 00:00:00 2001 From: Hans Dedecker Date: Thu, 12 Dec 2013 17:05:25 +0100 Subject: [PATCH] Fix handling of DHCPv6 messages containing option lengths exceeding the message --- src/dhcpv6.c | 6 +++++- src/odhcp6c.h | 2 +- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/src/dhcpv6.c b/src/dhcpv6.c index cd8e438..75bc50e 100644 --- a/src/dhcpv6.c +++ b/src/dhcpv6.c @@ -569,7 +569,11 @@ static bool dhcpv6_response_is_valid(const void *buf, ssize_t len, void *server_id = odhcp6c_get_state(STATE_SERVER_ID, &server_id_len); dhcpv6_for_each_option(&rep[1], end, otype, olen, odata) { - if (otype == DHCPV6_OPT_CLIENTID) { + if ((odata + olen) > end) { + options_valid = false; + break; + } + else if (otype == DHCPV6_OPT_CLIENTID) { clientid_ok = (olen + 4U == client_id_len) && !memcmp( &odata[-4], client_id, client_id_len); } else if (otype == DHCPV6_OPT_SERVERID) { diff --git a/src/odhcp6c.h b/src/odhcp6c.h index 15be59a..8771521 100644 --- a/src/odhcp6c.h +++ b/src/odhcp6c.h @@ -155,7 +155,7 @@ struct dhcpv6_auth_reconfigure { #define dhcpv6_for_each_option(start, end, otype, olen, odata)\ for (uint8_t *_o = (uint8_t*)(start); _o + 4 <= (uint8_t*)(end) &&\ ((otype) = _o[0] << 8 | _o[1]) && ((odata) = (void*)&_o[4]) &&\ - ((olen) = _o[2] << 8 | _o[3]) + (odata) <= (uint8_t*)(end); \ + ((olen) = _o[2] << 8 | _o[3]); \ _o += 4 + (_o[2] << 8 | _o[3])) -- 2.39.5