FR-GV-205 - check for "too long" options, too

author Alan T. DeKok <aland@freeradius.org>

Mon, 3 Jul 2017 00:54:36 +0000 (20:54 -0400)

committer Alan T. DeKok <aland@freeradius.org>

Mon, 17 Jul 2017 12:22:32 +0000 (08:22 -0400)
author Alan T. DeKok <aland@freeradius.org>
Mon, 3 Jul 2017 00:54:36 +0000 (20:54 -0400)
committer Alan T. DeKok <aland@freeradius.org>
Mon, 17 Jul 2017 12:22:32 +0000 (08:22 -0400)
diff --git a/src/lib/dhcp.c b/src/lib/dhcp.c

index c632e66..d49e99b 100644 (file)
--- a/src/lib/dhcp.c
+++ b/src/lib/dhcp.c
@@ -599,6 +599,12 @@ ssize_t fr_dhcp_decode_options(uint8_t *data, size_t len, VALUE_PAIR **head)
                         continue;
                 }
  
+               /*
+                *      End of this attribute past the end of the
+                *      packet: ignore it.
+                */
+               if (next > (data + len)) break;
+
                 da = dict_attrbyvalue(DHCP2ATTR(p[0]));
                 if (!da) {
                         fr_strerror_printf("Attribute not in our dictionary: %u",
author	Alan T. DeKok <aland@freeradius.org>
	Mon, 3 Jul 2017 00:54:36 +0000 (20:54 -0400)
committer	Alan T. DeKok <aland@freeradius.org>
	Mon, 17 Jul 2017 12:22:32 +0000 (08:22 -0400)