proxyarp: Validate IPv4 header total length value in dhcp_snoop

This field needs to be validated in addition to validating the total
length of the received frame to avoid reading beyond the frame buffer.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

diff --git a/src/ap/dhcp_snoop.c b/src/ap/dhcp_snoop.c
index 0f62eb7ac6816bccca6a0233880aa5f3c4d7f8db..a7060246755ffe82619a19bed564a18aa89907ea 100644 (file)
--- a/src/ap/dhcp_snoop.c
+++ b/src/ap/dhcp_snoop.c
@@ -52,17 +52,22 @@ static void handle_dhcp(void *ctx, const u8 *src_addr, const u8 *buf,
        const u8 *end, *pos;
        int res, msgtype = 0, prefixlen = 32;
        u32 subnet_mask = 0;
+       u16 tot_len;
 
        exten_len = len - ETH_HLEN - (sizeof(*b) - sizeof(b->exten));
        if (exten_len < 4)
                return;
 
        b = (const struct bootp_pkt *) &buf[ETH_HLEN];
+       tot_len = ntohs(b->iph.tot_len);
+       if (tot_len > (unsigned int) (len - ETH_HLEN))
+               return;
+
        if (os_memcmp(b->exten, ic_bootp_cookie, ARRAY_SIZE(ic_bootp_cookie)))
                return;
 
        /* Parse DHCP options */
-       end = (const u8 *) b + ntohs(b->iph.tot_len);
+       end = (const u8 *) b + tot_len;
        pos = &b->exten[4];
        while (pos < end && *pos != 0xff) {
                const u8 *opt = pos++;