From: Arran Cudbard-Bell <a.cudbardb@freeradius.org>
Date: Tue, 20 Oct 2015 23:52:13 +0000 (-0400)
Subject: Check Option length more carefully.  Closes #1334
X-Git-Tag: release_3_0_11~234
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=37ca754aeb1629c3083793d682c5f952a5a60834;p=thirdparty%2Ffreeradius-server.git

Check Option length more carefully.  Closes #1334
---

diff --git a/src/modules/proto_dhcp/dhcp.c b/src/modules/proto_dhcp/dhcp.c
index 6b47dcff829..2754ccd2da3 100644
--- a/src/modules/proto_dhcp/dhcp.c
+++ b/src/modules/proto_dhcp/dhcp.c
@@ -871,6 +871,15 @@ ssize_t fr_dhcp_decode_options(TALLOC_CTX *ctx, VALUE_PAIR **out, uint8_t const
 		a_len = p[1];
 		a_p = p + 2;
 
+		/*
+		 *	Ensure we've not been given a bad length value
+		 */
+		if ((a_p + a_len) > q) {
+			fr_strerror_printf("Length field value of option %u is incorrect.  "
+					   "Got %u bytes, expected <= %zu bytes", p[0], p[1], q - a_p);
+			return -1;
+		}
+
 		/*
 		 *	Unknown attribute, create an octets type
 		 *	attribute with the contents of the sub-option.