From 19a18bf7c8af649c9e9742fb6a046f6aff639866 Mon Sep 17 00:00:00 2001 From: "Alan T. DeKok" Date: Mon, 3 Jul 2017 15:42:35 -0400 Subject: [PATCH] FR-GV-304 - check for option overflowing the packet --- src/modules/proto_dhcp/dhcp.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/src/modules/proto_dhcp/dhcp.c b/src/modules/proto_dhcp/dhcp.c index dbfe817..5fd922d 100644 --- a/src/modules/proto_dhcp/dhcp.c +++ b/src/modules/proto_dhcp/dhcp.c @@ -629,6 +629,24 @@ static int fr_dhcp_decode_suboption(TALLOC_CTX *ctx, VALUE_PAIR **tlv, uint8_t c uint32_t attr; /* + * Not enough room for the option header, it's a + * bad packet. + */ + if ((p + 2) > (data + len)) { + fr_pair_list_free(&head); + return -1; + } + + /* + * Not enough room for the option header + data, + * it's a bad packet. + */ + if ((p + 2 + p[1]) > (data + len)) { + fr_pair_list_free(&head); + return -1; + } + + /* * The initial OID string looks like: * .0 * -- 2.1.4