From 68ac18ed5d5b4c2d403396764f08c92a160b4a18 Mon Sep 17 00:00:00 2001 From: Hans Dedecker Date: Fri, 27 Dec 2013 15:49:44 +0100 Subject: [PATCH] Revert "Fix handling of DHCPv6 messages containing option lengths exceeding the message" This reverts commit 26c5d8724355b29694af684ee29b47e52129a33c. --- src/dhcpv6.c | 6 +----- src/odhcp6c.h | 2 +- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/src/dhcpv6.c b/src/dhcpv6.c index 75bc50e..cd8e438 100644 --- a/src/dhcpv6.c +++ b/src/dhcpv6.c @@ -569,11 +569,7 @@ static bool dhcpv6_response_is_valid(const void *buf, ssize_t len, void *server_id = odhcp6c_get_state(STATE_SERVER_ID, &server_id_len); dhcpv6_for_each_option(&rep[1], end, otype, olen, odata) { - if ((odata + olen) > end) { - options_valid = false; - break; - } - else if (otype == DHCPV6_OPT_CLIENTID) { + if (otype == DHCPV6_OPT_CLIENTID) { clientid_ok = (olen + 4U == client_id_len) && !memcmp( &odata[-4], client_id, client_id_len); } else if (otype == DHCPV6_OPT_SERVERID) { diff --git a/src/odhcp6c.h b/src/odhcp6c.h index 8771521..15be59a 100644 --- a/src/odhcp6c.h +++ b/src/odhcp6c.h @@ -155,7 +155,7 @@ struct dhcpv6_auth_reconfigure { #define dhcpv6_for_each_option(start, end, otype, olen, odata)\ for (uint8_t *_o = (uint8_t*)(start); _o + 4 <= (uint8_t*)(end) &&\ ((otype) = _o[0] << 8 | _o[1]) && ((odata) = (void*)&_o[4]) &&\ - ((olen) = _o[2] << 8 | _o[3]); \ + ((olen) = _o[2] << 8 | _o[3]) + (odata) <= (uint8_t*)(end); \ _o += 4 + (_o[2] << 8 | _o[3])) -- 2.39.2