Ensure domain label length and jump values fit inside the given data.

author Roy Marples <roy@marples.name>

Wed, 20 Aug 2014 09:19:06 +0000 (09:19 +0000)

committer Roy Marples <roy@marples.name>

Wed, 20 Aug 2014 09:19:06 +0000 (09:19 +0000)
author Roy Marples <roy@marples.name>
Wed, 20 Aug 2014 09:19:06 +0000 (09:19 +0000)
committer Roy Marples <roy@marples.name>
Wed, 20 Aug 2014 09:19:06 +0000 (09:19 +0000)
diff --git a/dhcp-common.c b/dhcp-common.c

index f2e1b5e012aa826a6751fd4d4f10dd9998626193..54c4a5b49fc1f9d24c84e471bd7fca249929bf68 100644 (file)
--- a/dhcp-common.c
+++ b/dhcp-common.c
@@ -235,6 +235,10 @@ decode_rfc3397(char *out, size_t len, const uint8_t *p, size_t pl)
                         if (ltype == 0x80 || ltype == 0x40)
                                 return -1;
                         else if (ltype == 0xc0) { /* pointer */
+                               if (q == e) {
+                                       errno = ERANGE;
+                                       return -1;
+                               }
                                 l = (l & 0x3f) << 8;
                                 l |= *q++;
                                 /* save source of first jump. */
@@ -252,6 +256,10 @@ decode_rfc3397(char *out, size_t len, const uint8_t *p, size_t pl)
                                 }
                         } else {
                                 /* straightforward name segment, add with '.' */
+                               if (q + l > e) {
+                                       errno = ERANGE;
+                                       return -1;
+                               }
                                 count += l + 1;
                                 if (out) {
                                         if (l + 1 > len) {
author	Roy Marples <roy@marples.name>
	Wed, 20 Aug 2014 09:19:06 +0000 (09:19 +0000)
committer	Roy Marples <roy@marples.name>
	Wed, 20 Aug 2014 09:19:06 +0000 (09:19 +0000)