FR-GV-304 - check for option overflowing the packet

author Alan T. DeKok <aland@freeradius.org>

Mon, 3 Jul 2017 19:42:35 +0000 (15:42 -0400)

committer Alan T. DeKok <aland@freeradius.org>

Mon, 17 Jul 2017 12:36:24 +0000 (08:36 -0400)
author Alan T. DeKok <aland@freeradius.org>
Mon, 3 Jul 2017 19:42:35 +0000 (15:42 -0400)
committer Alan T. DeKok <aland@freeradius.org>
Mon, 17 Jul 2017 12:36:24 +0000 (08:36 -0400)
diff --git a/src/modules/proto_dhcp/dhcp.c b/src/modules/proto_dhcp/dhcp.c

index dbfe817..5fd922d 100644 (file)
--- a/src/modules/proto_dhcp/dhcp.c
+++ b/src/modules/proto_dhcp/dhcp.c
@@ -629,6 +629,24 @@ static int fr_dhcp_decode_suboption(TALLOC_CTX *ctx, VALUE_PAIR **tlv, uint8_t c
                 uint32_t        attr;
  
                 /*
+                *      Not enough room for the option header, it's a
+                *      bad packet.
+                */
+               if ((p + 2) > (data + len)) {
+                       fr_pair_list_free(&head);
+                       return -1;
+               }
+
+               /*
+                *      Not enough room for the option header + data,
+                *      it's a bad packet.
+                */
+               if ((p + 2 + p[1]) > (data + len)) {
+                       fr_pair_list_free(&head);
+                       return -1;
+               }
+
+               /*
                  *      The initial OID string looks like:
                  *      <iana>.0
                  *
author	Alan T. DeKok <aland@freeradius.org>
	Mon, 3 Jul 2017 19:42:35 +0000 (15:42 -0400)
committer	Alan T. DeKok <aland@freeradius.org>
	Mon, 17 Jul 2017 12:36:24 +0000 (08:36 -0400)