diff options
author | Ben Hutchings <ben@decadent.org.uk> | 2016-01-28 02:09:47 +0000 |
---|---|---|
committer | Ben Hutchings <ben@decadent.org.uk> | 2016-01-28 13:40:25 +0000 |
commit | 78bc7d9c835404ad1b5d2eb26de390bd45e26d2a (patch) | |
tree | 4e97bf8c749db4f4a5e1af2fa72fff19514560ba /src | |
parent | f92e692eefa05ddb7b0b2817260b03262f30090e (diff) | |
download | odhcp6c-78bc7d9c835404ad1b5d2eb26de390bd45e26d2a.tar.gz |
Add missing option length checks in dhcpv6_handle_advert
These might be redundant with checks elsewhere but it's better to be
safe.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Diffstat (limited to 'src')
-rw-r--r-- | src/dhcpv6.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/src/dhcpv6.c b/src/dhcpv6.c index 08fe236..e27d899 100644 --- a/src/dhcpv6.c +++ b/src/dhcpv6.c @@ -813,7 +813,8 @@ static int dhcpv6_handle_advert(enum dhcpv6_msg orig, const int rc, if (inf_max_rt >= DHCPV6_INF_MAX_RT_MIN && inf_max_rt <= DHCPV6_INF_MAX_RT_MAX) cand.inf_max_rt = inf_max_rt; - } else if (otype == DHCPV6_OPT_IA_PD && request_prefix) { + } else if (otype == DHCPV6_OPT_IA_PD && request_prefix && + olen >= -4 + sizeof(struct dhcpv6_ia_hdr)) { struct dhcpv6_ia_hdr *h = (struct dhcpv6_ia_hdr*)&odata[-4]; uint8_t *oend = odata + olen, *d; dhcpv6_for_each_option(&h[1], oend, otype, olen, d) { @@ -823,7 +824,8 @@ static int dhcpv6_handle_advert(enum dhcpv6_msg orig, const int rc, have_pd = p->prefix; } } - } else if (otype == DHCPV6_OPT_IA_NA) { + } else if (otype == DHCPV6_OPT_IA_NA && + olen >= -4 + sizeof(struct dhcpv6_ia_hdr)) { struct dhcpv6_ia_hdr *h = (struct dhcpv6_ia_hdr*)&odata[-4]; uint8_t *oend = odata + olen, *d; dhcpv6_for_each_option(&h[1], oend, otype, olen, d) |