From: Nick Porter <nick@portercomputing.co.uk>
Date: Tue, 3 Sep 2024 17:09:47 +0000 (+0100)
Subject: Walk over padding bytes when decoding DHCPv4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e7b934ab39232d55cd969adb93a76ef6a00c706f;p=thirdparty%2Ffreeradius-server.git

Walk over padding bytes when decoding DHCPv4

Packets are allowed to contain as many bytes of Pad Option as they want.
They have been seen in the wild with 50 bytes of 0, then with more valid
options after...
---

diff --git a/src/protocols/dhcpv4/decode.c b/src/protocols/dhcpv4/decode.c
index 7fdc866393..e334d4891a 100644
--- a/src/protocols/dhcpv4/decode.c
+++ b/src/protocols/dhcpv4/decode.c
@@ -552,7 +552,15 @@ ssize_t fr_dhcpv4_decode_option(TALLOC_CTX *ctx, fr_pair_list_t *out,
 	/*
 	 *	Padding / End of options
 	 */
-	if (p[0] == 0) return data_len;		/* 0x00 - Padding option */
+	if (p[0] == 0) {			/* 0x00 - Padding option	  */
+		data_len = 1;			/* Walk over any consecutive 0x00 */
+		p++;				/* for efficiency		  */
+		while ((p < end) && (p[0] == 0)) {
+			p++;
+			data_len ++;
+		}
+		return data_len;
+	}
 	if (p[0] == 255) return data_len;	/* 0xff - End of options signifier */
 
 	/*