From a92f79b03461b2a5a86967ffa9e1f17d1402e832 Mon Sep 17 00:00:00 2001
From: Roy Marples <roy@marples.name>
Date: Sat, 20 Jun 2026 18:14:30 +0100
Subject: [PATCH] DHCP6: Ensure IA_PD Prefix Length is valid

Reported by NVIDIA Project Vanessa
---
 src/dhcp6.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/dhcp6.c b/src/dhcp6.c
index a061d0bd..61a90633 100644
--- a/src/dhcp6.c
+++ b/src/dhcp6.c
@@ -2311,6 +2311,13 @@ dhcp6_findpd(struct interface *ifp, const uint8_t *iaid, uint8_t *d, size_t l,
 		memcpy(&pdp_plen, o, sizeof(pdp_plen));
 		o += sizeof(pdp_plen);
 
+		if (pdp_plen > 128) {
+			errno = EINVAL;
+			logerrx("%s: IA Prefix length %u invalid", ifp->name,
+			    pdp_plen);
+			continue;
+		}
+
 		pdp_pltime = ntohl(pdp_pltime);
 		pdp_vltime = ntohl(pdp_vltime);
 		/* RFC 3315 22.6 */
-- 
2.47.3