Applied, thanks!
On Wed, Oct 12, 2016 at 10:53 PM, Brian Foley <[email protected]> wrote: > > > Signed-off-by: Brian Foley <[email protected]> > --- > networking/udhcp/common.c | 9 +++++++++ > 1 file changed, 9 insertions(+) > > diff --git a/networking/udhcp/common.c b/networking/udhcp/common.c > index 0cf4dab..b6feffd 100644 > --- a/networking/udhcp/common.c > +++ b/networking/udhcp/common.c > @@ -225,10 +225,13 @@ uint8_t* FAST_FUNC udhcp_get_option(struct dhcp_packet > *packet, int code) > optionptr = packet->options; > rem = sizeof(packet->options); > while (1) { > + /* Is there enough option payload left to read the option > code? */ > if (rem <= 0) { > bb_error_msg("bad packet, malformed option field"); > return NULL; > } > + > + /* DHCP_PADDING and DHCP_END have no extra option fields */ > if (optionptr[OPT_CODE] == DHCP_PADDING) { > rem--; > optionptr++; > @@ -251,6 +254,12 @@ uint8_t* FAST_FUNC udhcp_get_option(struct dhcp_packet > *packet, int code) > } > break; > } > + > + /* All other options must have at least a 1 byte len field */ > + if (rem <= 1) { > + bb_error_msg("bad packet, malformed option field"); > + return NULL; > + } > len = 2 + optionptr[OPT_LEN]; > rem -= len; > if (rem < 0) > -- > 2.7.4 > > _______________________________________________ > busybox mailing list > [email protected] > http://lists.busybox.net/mailman/listinfo/busybox _______________________________________________ busybox mailing list [email protected] http://lists.busybox.net/mailman/listinfo/busybox
