From: Thomas Markwalder <tmark@isc.org>
Date: Fri, 20 Dec 2019 16:34:49 +0000 (-0500)
Subject: [#71] Fixed buffer pointer logic in dhcrelay.c
X-Git-Tag: v4_1_esv_r16~8
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b68402e0bbb4943b84149cc21cbb3ec20cc07318;p=thirdparty%2Fdhcp.git

[#71] Fixed buffer pointer logic in dhcrelay.c

dhcrelay.c
    strip_relay_agent_options
    add_relay_agent_options
    - corrected buffer pointer logic
---

diff --git a/relay/dhcrelay.c b/relay/dhcrelay.c
index 407b48188..36a891a52 100644
--- a/relay/dhcrelay.c
+++ b/relay/dhcrelay.c
@@ -880,8 +880,13 @@ strip_relay_agent_options(struct interface_info *in,
 				return (0);
 
 			if (sp != op) {
-				memmove(sp, op, op[1] + 2);
-				sp += op[1] + 2;
+				size_t mlen = op[1] + 2;
+				memmove(sp, op, mlen);
+				sp += mlen;
+				if (sp > max) {
+					return (0);
+				}
+
 				op = nextop;
 			} else
 				op = sp = nextop;
@@ -1104,8 +1109,13 @@ add_relay_agent_options(struct interface_info *ip, struct dhcp_packet *packet,
 			end_pad = NULL;
 
 			if (sp != op) {
-				memmove(sp, op, op[1] + 2);
-				sp += op[1] + 2;
+				size_t mlen = op[1] + 2;
+				memmove(sp, op, mlen);
+				sp += mlen;
+				if (sp > max) {
+					return (0);
+				}
+
 				op = nextop;
 			} else
 				op = sp = nextop;