Check Option length more carefully. Closes #1334

author Arran Cudbard-Bell <a.cudbardb@freeradius.org>

Tue, 20 Oct 2015 23:52:13 +0000 (19:52 -0400)

committer Arran Cudbard-Bell <a.cudbardb@freeradius.org>

Wed, 21 Oct 2015 01:22:19 +0000 (21:22 -0400)
author Arran Cudbard-Bell <a.cudbardb@freeradius.org>
Tue, 20 Oct 2015 23:52:13 +0000 (19:52 -0400)
committer Arran Cudbard-Bell <a.cudbardb@freeradius.org>
Wed, 21 Oct 2015 01:22:19 +0000 (21:22 -0400)
diff --git a/src/modules/proto_dhcp/dhcp.c b/src/modules/proto_dhcp/dhcp.c

index 6b47dcff82930cd7f3acf11c77b4be9daef97eed..2754ccd2da3e42244dc768bb341e5c50bca2d1b5 100644 (file)
--- a/src/modules/proto_dhcp/dhcp.c
+++ b/src/modules/proto_dhcp/dhcp.c
@@ -871,6 +871,15 @@ ssize_t fr_dhcp_decode_options(TALLOC_CTX *ctx, VALUE_PAIR **out, uint8_t const
                 a_len = p[1];
                 a_p = p + 2;
  
+               /*
+                *      Ensure we've not been given a bad length value
+                */
+               if ((a_p + a_len) > q) {
+                       fr_strerror_printf("Length field value of option %u is incorrect.  "
+                                          "Got %u bytes, expected <= %zu bytes", p[0], p[1], q - a_p);
+                       return -1;
+               }
+
                 /*
                  *      Unknown attribute, create an octets type
                  *      attribute with the contents of the sub-option.
author	Arran Cudbard-Bell <a.cudbardb@freeradius.org>
	Tue, 20 Oct 2015 23:52:13 +0000 (19:52 -0400)
committer	Arran Cudbard-Bell <a.cudbardb@freeradius.org>
	Wed, 21 Oct 2015 01:22:19 +0000 (21:22 -0400)