Ensure that option length fits inside data length less option size.

Thanks to Nico Golde for the report.

Fixes CVE-2016-1504

diff --git a/dhcp.c b/dhcp.c
index c75ba5523c611dfed679dd832e12a8a7d569c9a6..c1361ea72fe4bfb34a76ada003bfc5ce27fe0b2a 100644 (file)
--- a/dhcp.c
+++ b/dhcp.c
@@ -1224,12 +1224,13 @@ dhcp_getoption(struct dhcpcd_ctx *ctx,
                *os = 2; /* code + len */
                *code = (unsigned int)*od++;
                *len = (size_t)*od++;
-               if (*len > ol) {
+               if (*len > ol - *os) {
                        errno = EINVAL;
                        return NULL;
                }
        }
 
+       *oopt = NULL;
        for (i = 0, opt = ctx->dhcp_opts; i < ctx->dhcp_opts_len; i++, opt++) {
                if (opt->option == *code) {
                        *oopt = opt;

diff --git a/dhcp6.c b/dhcp6.c
index 3a7f02c93f0bdfd9a0372c5b38fd438989999d09..34796f165aa911f7a9e5f05e5ccef1b31fd273c7 100644 (file)
--- a/dhcp6.c
+++ b/dhcp6.c
@@ -260,7 +260,7 @@ dhcp6_getoption(struct dhcpcd_ctx *ctx,
                }
                o = (const struct dhcp6_option *)od;
                *len = ntohs(o->len);
-               if (*len > ol) {
+               if (*len > ol - *os) {
                        errno = EINVAL;
                        return NULL;
                }
@@ -268,6 +268,7 @@ dhcp6_getoption(struct dhcpcd_ctx *ctx,
        } else
                o = NULL;
 
+       *oopt = NULL;
        for (i = 0, opt = ctx->dhcp6_opts;
            i < ctx->dhcp6_opts_len; i++, opt++)
        {