From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Wed, 24 Jun 2026 18:02:06 +0000 (+0100)
Subject: dhcp-message-dump: guard against negative option type before indexing
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2e79d397a4f8928eb8f890dc71b6c7e2172843ce;p=thirdparty%2Fsystemd.git

dhcp-message-dump: guard against negative option type before indexing

dhcp_option_type_from_code() returns _DHCP_OPTION_TYPE_INVALID (-EINVAL)
for the PAD and END option codes, and dump_dhcp_option_one() uses the
returned value directly as an index into the functions[] table. Those
codes are excluded by an assert() at the top of the function, but
assert() compiles down to __builtin_unreachable() under NDEBUG, so a
negative array index read is reachable there (and trips static
analyzers). Bail out explicitly on the error return.

CID#1660105

Follow-up for 149adb2fdce0d9a40f9332ecb1a48a486fce5194
---

diff --git a/src/libsystemd-network/dhcp-message-dump.c b/src/libsystemd-network/dhcp-message-dump.c
index a593c86d451..03145222311 100644
--- a/src/libsystemd-network/dhcp-message-dump.c
+++ b/src/libsystemd-network/dhcp-message-dump.c
@@ -895,6 +895,8 @@ static int dump_dhcp_option_one(Table *table, sd_dhcp_message *message, uint8_t
         bool fallback = false;
         if (type == DHCP_OPTION_TYPE_AUTO) {
                 type = dhcp_option_type_from_code(code);
+                if (type < 0)
+                        return type;
                 fallback = true;
         }