Home Explore Help
Register Sign In
OWEALs
/
relayd
mirror of https://git.openwrt.org/project/relayd.git
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

dhcp.c: further improve validation

Add 2 more length/bounds checks with thanks to
Guido Vranken <guido@guidovranken.com>

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Kevin Darbyshire-Bryant 4 years ago
parent
796da66abd
commit
f4d759be54
1 changed files with 4 additions and 1 deletions
Split View Show Diff Stats
  1. 4 1
      dhcp.c

+ 4 - 1
dhcp.c
View File 

@@ -94,6 +94,8 @@ parse_dhcp_options(struct relayd_host *host, struct dhcp_header *dhcp, int len)
 
 			break;
 
 
 		opt = (void *) &opt->data[opt->len];
 
+		if ((uint8_t *) opt + sizeof(*opt) > end )
 
+			break;
 
 		switch(opt->code) {
 
 		case DHCP_OPTION_ROUTER:
 
 			DPRINTF(2, "Found a DHCP router option, len=%d\n", opt->len);
 
@@ -137,7 +139,8 @@ bool relayd_handle_dhcp_packet(struct relayd_interface *rif, void *data, int len
 
 	udp = (void *) ((char *) &pkt->iph + (pkt->iph.ihl << 2));
 
 	dhcp = (void *) (udp + 1);
 
 
-	if ((uint8_t *)udp + sizeof(*udp) > (uint8_t *)data + len )
 
+	if ((uint8_t *)udp  + sizeof(*udp)  > (uint8_t *)data + len ||
 
+	    (uint8_t *)dhcp + sizeof(*dhcp) > (uint8_t *)data + len)
 
 		return false;
 
 
 	udplen = ntohs(udp->len);