From: Roy Marples <roy@marples.name>
Date: Tue, 3 May 2016 16:21:20 +0000 (+0000)
Subject: Fix reading long DHCPv6 leases.
X-Git-Tag: v6.11.0~37
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=822a74f9a211ff5c6d0de208212ac403bcbe90fc;p=thirdparty%2Fdhcpcd.git

Fix reading long DHCPv6 leases.
---

diff --git a/dhcp6.c b/dhcp6.c
index 5f6201f8..d5457e37 100644
--- a/dhcp6.c
+++ b/dhcp6.c
@@ -2196,9 +2196,11 @@ dhcp6_readlease(struct interface *ifp, int validate)
 	}
 	retval = -1;
 	/* DHCPv6 messages have no real maximum size.
-	 * As we could be reading from stdin, we loop like so. */
+	 * As we could be reading from stdin, we loop like so.
+	 * state->new_len refers to the buffer position,
+	 * but the buffer itself always BUFSIZ bigger. */
 	for (;;) {
-		bytes = read(fd, state->new + state->new_len, BUFSIZ);
+		bytes = read(fd, (char *)state->new + state->new_len, BUFSIZ);
 		if (bytes == -1)
 			break;
 		if (bytes < BUFSIZ) {
@@ -2206,7 +2208,7 @@ dhcp6_readlease(struct interface *ifp, int validate)
 			retval = 0;
 			break;
 		}
-		newlen = state->new_len + BUFSIZ;
+		newlen = state->new_len + (BUFSIZ * 2);
 		if (newlen > UINT32_MAX || newlen < state->new_len) {
 			errno = E2BIG;
 			break;
@@ -2214,7 +2216,7 @@ dhcp6_readlease(struct interface *ifp, int validate)
 		if ((newnew = realloc(state->new, newlen)) == NULL)
 			break;
 		state->new = newnew;
-		state->new_len = newlen;
+		state->new_len += BUFSIZ;
 	}
 	if (fd_opened)
 		close(fd);