From: Petr Menšík <pemensik@redhat.com>
Date: Fri, 16 Feb 2024 16:15:35 +0000 (+0100)
Subject: Move dhcp(v4) packet size check earlier (#295)
X-Git-Tag: v10.0.7~16
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=727c78f503d456875e2a3cee7609288b537d9d25;p=thirdparty%2Fdhcpcd.git

Move dhcp(v4) packet size check earlier (#295)

dhcp_handlebootp handled zero sized packets correctly, but
dhcp_redirect_dhcp did not have such protection. Move size check before
both of them. Size when called from dhcp_packet is checked by
is_packet_udp_bootp call. Only dhcp_recvmsg needs earlier checking to be
added.

Fixes #283
---

diff --git a/src/dhcp.c b/src/dhcp.c
index a58e1db2..581a9faa 100644
--- a/src/dhcp.c
+++ b/src/dhcp.c
@@ -3532,12 +3532,6 @@ dhcp_handlebootp(struct interface *ifp, struct bootp *bootp, size_t len,
 {
 	size_t v;
 
-	if (len < offsetof(struct bootp, vend)) {
-		logerrx("%s: truncated packet (%zu) from %s",
-		    ifp->name, len, inet_ntoa(*from));
-		return;
-	}
-
 	/* Unlikely, but appeases sanitizers. */
 	if (len > FRAMELEN_MAX) {
 		logerrx("%s: packet exceeded frame length (%zu) from %s",
@@ -3670,6 +3664,13 @@ dhcp_recvmsg(struct dhcpcd_ctx *ctx, struct msghdr *msg)
 		logerr(__func__);
 		return;
 	}
+
+	if (iov->iov_len < offsetof(struct bootp, vend)) {
+		logerrx("%s: truncated packet (%zu) from %s",
+		    ifp->name, iov->iov_len, inet_ntoa(from->sin_addr));
+		return;
+	}
+
 	state = D_CSTATE(ifp);
 	if (state == NULL) {
 		/* Try re-directing it to another interface. */