From: Hans Dedecker <hans.dedecker@technicolor.com>
Date: Thu, 12 Dec 2013 16:05:25 +0000 (+0100)
Subject: Fix handling of DHCPv6 messages containing option lengths exceeding the message
X-Git-Tag: debian/1.1+git20160131-1~107^2~7
X-Git-Url: https://git.decadent.org.uk/gitweb/?p=odhcp6c.git;a=commitdiff_plain;h=26c5d8724355b29694af684ee29b47e52129a33c

Fix handling of DHCPv6 messages containing option lengths exceeding the message
---

diff --git a/src/dhcpv6.c b/src/dhcpv6.c
index cd8e438..75bc50e 100644
--- a/src/dhcpv6.c
+++ b/src/dhcpv6.c
@@ -569,7 +569,11 @@ static bool dhcpv6_response_is_valid(const void *buf, ssize_t len,
 	void *server_id = odhcp6c_get_state(STATE_SERVER_ID, &server_id_len);
 
 	dhcpv6_for_each_option(&rep[1], end, otype, olen, odata) {
-		if (otype == DHCPV6_OPT_CLIENTID) {
+		if ((odata + olen) > end) {
+			options_valid = false;
+			break;
+		}
+		else if (otype == DHCPV6_OPT_CLIENTID) {
 			clientid_ok = (olen + 4U == client_id_len) && !memcmp(
 					&odata[-4], client_id, client_id_len);
 		} else if (otype == DHCPV6_OPT_SERVERID) {
diff --git a/src/odhcp6c.h b/src/odhcp6c.h
index 15be59a..8771521 100644
--- a/src/odhcp6c.h
+++ b/src/odhcp6c.h
@@ -155,7 +155,7 @@ struct dhcpv6_auth_reconfigure {
 #define dhcpv6_for_each_option(start, end, otype, olen, odata)\
 	for (uint8_t *_o = (uint8_t*)(start); _o + 4 <= (uint8_t*)(end) &&\
 		((otype) = _o[0] << 8 | _o[1]) && ((odata) = (void*)&_o[4]) &&\
-		((olen) = _o[2] << 8 | _o[3]) + (odata) <= (uint8_t*)(end); \
+		 ((olen) = _o[2] << 8 | _o[3]); \
 		_o += 4 + (_o[2] << 8 | _o[3]))