DHCP: Fix a potential 1 byte read overflow with DHO_OPTSOVERLOADED

This fix basically moves the option length check up and also
corrects off by one error with it.

Thanks to Maxime Villard <max@m00nbsd.net>

diff --git a/dhcp.c b/dhcp.c
index 19f94976b424a988d88507ced00479448315f82f..1661bf4807eaad10c3ea9a8fdee48e652f833667 100644 (file)
--- a/dhcp.c
+++ b/dhcp.c
@@ -201,6 +201,12 @@ get_option(struct dhcpcd_ctx *ctx,
                }
                l = *p++;
 
+               /* Check we can read the option data, if present */
+               if (p + l > e) {
+                       errno = EINVAL;
+                       return NULL;
+               }
+
                if (o == DHO_OPTSOVERLOADED) {
                        /* Ensure we only get this option once by setting
                         * the last bit as well as the value.
@@ -235,10 +241,6 @@ get_option(struct dhcpcd_ctx *ctx,
                                bp += ol;
                        }
                        ol = l;
-                       if (p + ol >= e) {
-                               errno = EINVAL;
-                               return NULL;
-                       }
                        op = p;
                        bl += ol;
                }