DHCP: Fix a potential 1 byte read overflow with DHO_OPTSOVERLOADED

This fix basically moves the option length check up and also
corrects an off by one error with it.

Thanks to Maxime Villard <max@m00nbsd.net>

diff --git a/src/dhcp.c b/src/dhcp.c
index f7cdefc9fb8afc4786fb9873bff15359a442bb63..e13d1b4b56767f22fc6b2e2a3d241ee8ef5892f5 100644 (file)
--- a/src/dhcp.c
+++ b/src/dhcp.c
@@ -215,6 +215,12 @@ get_option(struct dhcpcd_ctx *ctx,
                }
                l = *p++;
 
+               /* Check we can read the option data, if present */
+               if (p + l > e) {
+                       errno = EINVAL;
+                       return NULL;
+               }
+
                if (o == DHO_OPTSOVERLOADED) {
                        /* Ensure we only get this option once by setting
                         * the last bit as well as the value.
@@ -249,10 +255,6 @@ get_option(struct dhcpcd_ctx *ctx,
                                bp += ol;
                        }
                        ol = l;
-                       if (p + ol >= e) {
-                               errno = EINVAL;
-                               return NULL;
-                       }
                        op = p;
                        bl += ol;
                }