Check that we have enough bytes to read the netmask and router

from the classless static routes option.
Thanks to Tobias Stoeckmann.

diff --git a/dhcp.c b/dhcp.c
index 1225dc358b5ba2213c2a5fb889d9c52b6de8388e..c2498b73a2bf87bcdf8fbf19a52cf50b7159e27e 100644 (file)
--- a/dhcp.c
+++ b/dhcp.c
@@ -299,6 +299,10 @@ decode_rfc3442(char *out, size_t len, const uint8_t *p, size_t pl)
                        return -1;
                }
                ocets = (cidr + 7) / NBBY;
+               if (p + 4 + ocets > e) {
+                       errno = ERANGE;
+                       return -1;
+               }
                if (!out) {
                        p += 4 + ocets;
                        bytes += ((4 * 4) * 2) + 4;
@@ -361,6 +365,13 @@ decode_rfc3442_rt(const uint8_t *data, size_t dl)
                        return NULL;
                }
 
+               ocets = (cidr + 7) / NBBY;
+               if (p + 4 + ocets > e) {
+                       ipv4_freeroutes(routes);
+                       errno = ERANGE;
+                       return NULL;
+               }
+
                rt = calloc(1, sizeof(*rt));
                if (rt == NULL) {
                        syslog(LOG_ERR, "%s: %m", __func__);
@@ -369,7 +380,6 @@ decode_rfc3442_rt(const uint8_t *data, size_t dl)
                }
                TAILQ_INSERT_TAIL(routes, rt, next);
 
-               ocets = (cidr + 7) / NBBY;
                /* If we have ocets then we have a destination and netmask */
                if (ocets > 0) {
                        memcpy(&rt->dest.s_addr, p, ocets);