Clarify udp_len being out of bounds checked.

author Roy Marples <roy@marples.name>

Tue, 28 Jun 2016 12:32:16 +0000 (12:32 +0000)

committer Roy Marples <roy@marples.name>

Tue, 28 Jun 2016 12:32:16 +0000 (12:32 +0000)
author Roy Marples <roy@marples.name>
Tue, 28 Jun 2016 12:32:16 +0000 (12:32 +0000)
committer Roy Marples <roy@marples.name>
Tue, 28 Jun 2016 12:32:16 +0000 (12:32 +0000)
diff --git a/dhcp.c b/dhcp.c

index f1fba03f11c5ac2386ecafc80b4c4ead7cd54a98..6f93c7d6d5ea30cb49e064f1d9d77560cb3a3c91 100644 (file)
--- a/dhcp.c
+++ b/dhcp.c
@@ -3093,7 +3093,7 @@ valid_udp_packet(uint8_t *data, size_t data_len, struct in_addr *from,
         }
  
         bytes = ntohs(p->ip.ip_len);
-       if (data_len < bytes) {
+       if (bytes > data_len) {
                 errno = EINVAL;
                 return -1;
         }
@@ -3167,13 +3167,15 @@ dhcp_handlepacket(struct interface *ifp, uint8_t *data, size_t len, int flags)
          * dhcpcd can work fine without the vendor area being sent.
          */
         udp_len = get_udp_data(&bootp, data);
+       /* udp_len must be correct because the values are checked in
+        * valid_udp_packet(). */
         if (udp_len < offsetof(struct bootp, vend)) {
                 logger(ifp->ctx, LOG_ERR,
                     "%s: truncated packet (%zu) from %s",
                     ifp->name, udp_len, inet_ntoa(from));
                 return;
         }
-       /* But to make our IS_DHCP macro easy, ensure the vendor
+       /* To make our IS_DHCP macro easy, ensure the vendor
          * area has at least 4 octets. */
         while (udp_len < offsetof(struct bootp, vend) + 4)
                 bootp[udp_len++] = '\0';
author	Roy Marples <roy@marples.name>
	Tue, 28 Jun 2016 12:32:16 +0000 (12:32 +0000)
committer	Roy Marples <roy@marples.name>
	Tue, 28 Jun 2016 12:32:16 +0000 (12:32 +0000)