From: Roy Marples <roy@marples.name>
Date: Wed, 20 Aug 2014 09:19:06 +0000 (+0000)
Subject: Ensure domain label length and jump values fit inside the given data.
X-Git-Tag: v6.4.4~52
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8f38710f8aad6b379c3be8390f8aafa422c46418;p=thirdparty%2Fdhcpcd.git

Ensure domain label length and jump values fit inside the given data.
Thanks to Tobias Stoeckmann.
---

diff --git a/dhcp-common.c b/dhcp-common.c
index f2e1b5e0..54c4a5b4 100644
--- a/dhcp-common.c
+++ b/dhcp-common.c
@@ -235,6 +235,10 @@ decode_rfc3397(char *out, size_t len, const uint8_t *p, size_t pl)
 			if (ltype == 0x80 || ltype == 0x40)
 				return -1;
 			else if (ltype == 0xc0) { /* pointer */
+				if (q == e) {
+					errno = ERANGE;
+					return -1;
+				}
 				l = (l & 0x3f) << 8;
 				l |= *q++;
 				/* save source of first jump. */
@@ -252,6 +256,10 @@ decode_rfc3397(char *out, size_t len, const uint8_t *p, size_t pl)
 				}
 			} else {
 				/* straightforward name segment, add with '.' */
+				if (q + l > e) {
+					errno = ERANGE;
+					return -1;
+				}
 				count += l + 1;
 				if (out) {
 					if (l + 1 > len) {