From: Alan T. DeKok <aland@freeradius.org>
Date: Sun, 24 Jan 2021 13:09:13 +0000 (-0500)
Subject: we have one byte of option length, too
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a1b19612c04c8d0e15d192e16da3d02f4edff8a6;p=thirdparty%2Ffreeradius-server.git

we have one byte of option length, too
---

diff --git a/src/protocols/dhcpv4/decode.c b/src/protocols/dhcpv4/decode.c
index 271c53e025..dc94fa7b5e 100644
--- a/src/protocols/dhcpv4/decode.c
+++ b/src/protocols/dhcpv4/decode.c
@@ -393,6 +393,7 @@ static ssize_t decode_value(TALLOC_CTX *ctx, fr_dcursor_t *cursor,
 	 *	attribute.
 	 */
 	for (i = 0, p = data; i < values; i++) {
+		fr_assert((p + value_len) <= (data + data_len));
 		len = decode_value_internal(ctx, cursor, parent, p, value_len);
 		if (len <= 0) return len;
 		if (len != (ssize_t)value_len) goto raw;
@@ -478,7 +479,7 @@ next:
 	FR_PROTO_TRACE("decode context %s -> %s", parent->name, vendor->name);
 
 	option_len = p[0];
-	if ((p + option_len) > end) {
+	if ((p + 1 + option_len) > end) {
 		len = decode_raw(ctx, cursor, vendor, p[1], p, end - p);
 		if (len < 0) return len;
 
diff --git a/src/tests/unit/protocols/dhcpv4/vendor.txt b/src/tests/unit/protocols/dhcpv4/vendor.txt
index 369b32db89..ab1d377ffd 100644
--- a/src/tests/unit/protocols/dhcpv4/vendor.txt
+++ b/src/tests/unit/protocols/dhcpv4/vendor.txt
@@ -19,5 +19,11 @@ match 7d 15 00 00 00 09 10 05 06 61 61 2e 74 78 74 05 06 62 62 2e 74 78 74
 encode-pair V-I-Vendor-Specific.ADSL-Forum.Manufacturer-OUI = 0x01, V-I-Vendor-Specific.ADSL-Forum.Device-Serial-Number = 0x02,  V-I-Vendor-Specific.ADSL-Forum.Device-Product-Class = 0x03
 match 7d 0e 00 00 0d e9 09 01 01 01 02 01 02 03 01 03
 
+#
+#  PEN + option_len, where option_len 09 > end of attribute
+# 
+decode-pair 7d 0d 00 00 00 09 09 05 06 61 61 2e 74 78 74
+match raw.V-I-Vendor-Specific.Cisco.5 = 0x08050661612e747874
+
 count
-match 12
+match 14