get_end_option_idx() has a useless conditional that always evaluates to

the same value.  Remove it, and introduce a slightly less useless
conditional that prevents a possible one-byte-read past the end of
packet.

This bug could possibly cause ndhc to segfault on some architectures
with extremely unlikely memory layouts and a very pathological crafted
input packet.
This commit is contained in:
Nicholas J. Kain 2014-03-18 01:38:58 -04:00
parent e8687ba29f
commit 742baf6d7b

View File

@ -124,8 +124,9 @@ ssize_t get_end_option_idx(struct dhcpmsg *packet)
return i;
if (packet->options[i] == DCODE_PADDING)
continue;
if (packet->options[i] != DCODE_PADDING)
i += packet->options[i+1] + 1;
if (i + 1 >= sizeof packet->options)
break;
i += packet->options[i+1] + 1;
}
log_warning("get_end_option_idx: Did not find DCODE_END marker.");
return -1;