From: Roy Marples <roy@marples.name>
Date: Mon, 4 Jan 2016 23:31:43 +0000 (+0000)
Subject: Ensure that option length fits inside data length less option size.
X-Git-Tag: v6.10.0~12
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=33c03b26c01201152774ef92e7b773281b8d8443;p=thirdparty%2Fdhcpcd.git

Ensure that option length fits inside data length less option size.
Thanks to Nico Golde for the report.

Fixes CVE-2016-1504
---

diff --git a/dhcp.c b/dhcp.c
index c75ba552..c1361ea7 100644
--- a/dhcp.c
+++ b/dhcp.c
@@ -1224,12 +1224,13 @@ dhcp_getoption(struct dhcpcd_ctx *ctx,
 		*os = 2; /* code + len */
 		*code = (unsigned int)*od++;
 		*len = (size_t)*od++;
-		if (*len > ol) {
+		if (*len > ol - *os) {
 			errno = EINVAL;
 			return NULL;
 		}
 	}
 
+	*oopt = NULL;
 	for (i = 0, opt = ctx->dhcp_opts; i < ctx->dhcp_opts_len; i++, opt++) {
 		if (opt->option == *code) {
 			*oopt = opt;
diff --git a/dhcp6.c b/dhcp6.c
index 3a7f02c9..34796f16 100644
--- a/dhcp6.c
+++ b/dhcp6.c
@@ -260,7 +260,7 @@ dhcp6_getoption(struct dhcpcd_ctx *ctx,
 		}
 		o = (const struct dhcp6_option *)od;
 		*len = ntohs(o->len);
-		if (*len > ol) {
+		if (*len > ol - *os) {
 			errno = EINVAL;
 			return NULL;
 		}
@@ -268,6 +268,7 @@ dhcp6_getoption(struct dhcpcd_ctx *ctx,
 	} else
 		o = NULL;
 
+	*oopt = NULL;
 	for (i = 0, opt = ctx->dhcp6_opts;
 	    i < ctx->dhcp6_opts_len; i++, opt++)
 	{