From b74a980d3e9de1105802eab9c306d87ef5f1a163 Mon Sep 17 00:00:00 2001
From: Roy Marples <roy@marples.name>
Date: Tue, 3 May 2016 22:50:53 +0000
Subject: [PATCH] Apply a bit more security around parsing DHCP.

---
 dhcp.c | 22 +++++++++++++++-------
 1 file changed, 15 insertions(+), 7 deletions(-)

diff --git a/dhcp.c b/dhcp.c
index 5fa01998..3f4295de 100644
--- a/dhcp.c
+++ b/dhcp.c
@@ -1148,13 +1148,18 @@ read_lease(struct interface *ifp)
 			close(fd);
 		return NULL;
 	}
-	bytes = read(fd, dhcp, sizeof(*dhcp));
+	bytes = read(fd, (char *)dhcp, sizeof(*dhcp));
 	if (fd_opened)
 		close(fd);
-	if (bytes < 0) {
+	if (bytes == -1) {
 		free(dhcp);
 		return NULL;
 	}
+	if ((size_t)bytes < offsetof(struct dhcp_message, cookie)) {
+		free(dhcp);
+		errno = EINVAL;
+		return NULL;
+	}
 
 	if (ifp->ctx->options & DHCPCD_DUMPLEASE)
 		return dhcp;
@@ -3067,6 +3072,12 @@ dhcp_handlepacket(void *arg)
 			    ifp->name, inet_ntoa(from));
 			continue;
 		}
+		if (bytes < offsetof(struct dhcp_message, cookie)) {
+			logger(ifp->ctx, LOG_ERR,
+			    "%s: truncated packet from %s",
+			    ifp->name, inet_ntoa(from));
+			continue;
+		}
 		if (dhcp == NULL) {
 		        dhcp = calloc(1, sizeof(*dhcp));
 			if (dhcp == NULL) {
@@ -3076,11 +3087,8 @@ dhcp_handlepacket(void *arg)
 			}
 		}
 		memcpy(dhcp, pp, bytes);
-		if (dhcp->cookie != htonl(MAGIC_COOKIE)) {
-			logger(ifp->ctx, LOG_DEBUG, "%s: bogus cookie from %s",
-			    ifp->name, inet_ntoa(from));
-			continue;
-		}
+		if (bytes < (ssize_t)sizeof(*dhcp))
+			memset((char *)dhcp + bytes, 0, sizeof(*dhcp) - bytes);
 		/* Ensure packet is for us */
 		if (ifp->hwlen <= sizeof(dhcp->chaddr) &&
 		    memcmp(dhcp->chaddr, ifp->hwaddr, ifp->hwlen))
-- 
2.47.3