Fix handling of DHCPv6 messages containing option lengths exceeding the message

diff --git a/src/dhcpv6.c b/src/dhcpv6.c
index cd8e43800dca33315047cd000262a5697c985be5..75bc50e84e89f641f0b6f450650f86c60f1b83b3 100644 (file)
--- a/src/dhcpv6.c
+++ b/src/dhcpv6.c
@@ -569,7 +569,11 @@ static bool dhcpv6_response_is_valid(const void *buf, ssize_t len,
        void *server_id = odhcp6c_get_state(STATE_SERVER_ID, &server_id_len);
 
        dhcpv6_for_each_option(&rep[1], end, otype, olen, odata) {
-               if (otype == DHCPV6_OPT_CLIENTID) {
+               if ((odata + olen) > end) {
+                       options_valid = false;
+                       break;
+               }
+               else if (otype == DHCPV6_OPT_CLIENTID) {
                        clientid_ok = (olen + 4U == client_id_len) && !memcmp(
                                        &odata[-4], client_id, client_id_len);
                } else if (otype == DHCPV6_OPT_SERVERID) {

diff --git a/src/odhcp6c.h b/src/odhcp6c.h
index 15be59ae4de59ec94c2e91fc869f7a88f2af85b1..87715214622def7044354a6fc46a78c70a35620b 100644 (file)
--- a/src/odhcp6c.h
+++ b/src/odhcp6c.h
@@ -155,7 +155,7 @@ struct dhcpv6_auth_reconfigure {
 #define dhcpv6_for_each_option(start, end, otype, olen, odata)\
        for (uint8_t *_o = (uint8_t*)(start); _o + 4 <= (uint8_t*)(end) &&\
                ((otype) = _o[0] << 8 | _o[1]) && ((odata) = (void*)&_o[4]) &&\
-               ((olen) = _o[2] << 8 | _o[3]) + (odata) <= (uint8_t*)(end); \
+                ((olen) = _o[2] << 8 | _o[3]); \
                _o += 4 + (_o[2] << 8 | _o[3]))