emo/ndhc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

get_end_option_idx() has a useless conditional that always evaluates to

Browse Source 
the same value.  Remove it, and introduce a slightly less useless
conditional that prevents a possible one-byte-read past the end of
packet.

This bug could possibly cause ndhc to segfault on some architectures
with extremely unlikely memory layouts and a very pathological crafted
input packet.
This commit is contained in:
Nicholas J. Kain 2014-03-18 01:38:58 -04:00
parent e8687ba29f
commit 742baf6d7b
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
ndhc/options.c
View File

@ -124,8 +124,9 @@ ssize_t get_end_option_idx(struct dhcpmsg *packet)
return i; return i;
if (packet->options[i] == DCODE_PADDING) if (packet->options[i] == DCODE_PADDING)
continue; continue;
if (packet->options[i] != DCODE_PADDING) if (i + 1 >= sizeof packet->options)
i += packet->options[i+1] + 1; break;
i += packet->options[i+1] + 1;
} }
log_warning("get_end_option_idx: Did not find DCODE_END marker."); log_warning("get_end_option_idx: Did not find DCODE_END marker.");
return -1; return -1;