From: Roy Marples <roy@marples.name>
Date: Wed, 24 Apr 2019 11:35:34 +0000 (+0100)
Subject: DHCP: Fix a potential 1 byte read overflow with DHO_OPTSOVERLOADED
X-Git-Tag: v6.11.6~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6adf6108ddb8d3e898aa715edfbaab0a900b4f8d;p=thirdparty%2Fdhcpcd.git

DHCP: Fix a potential 1 byte read overflow with DHO_OPTSOVERLOADED

This fix basically moves the option length check up and also
corrects off by one error with it.

Thanks to Maxime Villard <max@m00nbsd.net>
---

diff --git a/dhcp.c b/dhcp.c
index 19f94976..1661bf48 100644
--- a/dhcp.c
+++ b/dhcp.c
@@ -201,6 +201,12 @@ get_option(struct dhcpcd_ctx *ctx,
 		}
 		l = *p++;
 
+		/* Check we can read the option data, if present */
+		if (p + l > e) {
+			errno = EINVAL;
+			return NULL;
+		}
+
 		if (o == DHO_OPTSOVERLOADED) {
 			/* Ensure we only get this option once by setting
 			 * the last bit as well as the value.
@@ -235,10 +241,6 @@ get_option(struct dhcpcd_ctx *ctx,
 				bp += ol;
 			}
 			ol = l;
-			if (p + ol >= e) {
-				errno = EINVAL;
-				return NULL;
-			}
 			op = p;
 			bl += ol;
 		}