Correctly handle 2 instances of a DHCP option at the end of a packet

In the case a packet ends

<op n><len><data>
<op n><len><data>
<op 255>

there will only be 1 byte (the <op 255>) after going round the loop
twice.  Previously this would have failed the test (end - next) < 2
without having detected that the option code has changed.

diff --git a/src/protocols/dhcpv4/decode.c b/src/protocols/dhcpv4/decode.c
index ec10c82fd35fec279d0af4d421452d9f60d64dec..cb057357a93ad032ea4ad371f2d1a6b6621c676b 100644 (file)
--- a/src/protocols/dhcpv4/decode.c
+++ b/src/protocols/dhcpv4/decode.c
@@ -616,8 +616,9 @@ ssize_t fr_dhcpv4_decode_option(TALLOC_CTX *ctx, fr_pair_list_t *out,
                q = concat_buffer;
 
                for (next = data; next < end; next += 2 + next[1]) {
-                       if ((end - next) < 2) return -1;
+                       if (next >= end) return -1;
                        if (next[0] != data[0]) break;
+                       if ((end - next) < 2) return -1;
                        if ((next + 2 + next[1]) > end) return -1;
 
                        if ((size_t) (q + next[1] - concat_buffer) > sizeof(concat_buffer)) return -1;