From: Roy Marples <roy@marples.name>
Date: Mon, 7 May 2018 14:01:46 +0000 (+0100)
Subject: dhcp: Clarify range checks in valid UDP packets
X-Git-Tag: v7.0.5~6
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9fc2b57c27b551a58ef69b615f69e570a21de103;p=thirdparty%2Fdhcpcd.git

dhcp: Clarify range checks in valid UDP packets
---

diff --git a/src/dhcp.c b/src/dhcp.c
index b64254a7..6a3a02de 100644
--- a/src/dhcp.c
+++ b/src/dhcp.c
@@ -3276,7 +3276,7 @@ valid_udp_packet(void *data, size_t data_len, struct in_addr *from,
 	struct bootp_pkt *p;
 	uint16_t bytes;
 
-	if (data_len < sizeof(p->ip) + sizeof(p->udp)) {
+	if (data_len < sizeof(p->ip)) {
 		if (from)
 			from->s_addr = INADDR_ANY;
 		errno = ERANGE;
@@ -3291,6 +3291,12 @@ valid_udp_packet(void *data, size_t data_len, struct in_addr *from,
 	}
 
 	bytes = ntohs(p->ip.ip_len);
+	/* Check we have a payload */
+	if (bytes <= sizeof(p->ip) + sizeof(p->udp)) {
+		errno = ERANGE;
+		return -1;
+	}
+	/* Check we don't go beyond the payload */
 	if (bytes > data_len) {
 		errno = ENOBUFS;
 		return -1;