From b745ca9d2d2d127870e6245c50417fc778080e6a Mon Sep 17 00:00:00 2001
From: Samuel Tan <samueltan@google.com>
Date: Fri, 8 Jan 2016 09:46:36 -0800
Subject: [PATCH] UPSTREAM: Ensure that option length fits inside data length
 less option size

Ensure that option length fits inside data length less option size.
Thanks to Nico Golde for the report. Fixes CVE-2016-1504

http://roy.marples.name/projects/dhcpcd/ci/595883e2a431f65d?sbs=1

BUG: 26461547
Change-Id: I8bbb01eda998a0d7e552dcd4bf22db14c796d90e
---
 dhcp.c  | 3 ++-
 dhcp6.c | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/dhcp.c b/dhcp.c
index 5bb16b9..f1cdc36 100644
--- a/dhcp.c
+++ b/dhcp.c
@@ -1257,12 +1257,13 @@ dhcp_getoption(struct dhcpcd_ctx *ctx,
 		*os = 2; /* code + len */
 		*code = (unsigned int)*od++;
 		*len = (size_t)*od++;
-		if (*len > ol) {
+		if (*len > ol - *os) {
 			errno = EINVAL;
 			return NULL;
 		}
 	}
 
+	*oopt = NULL;
 	for (i = 0, opt = ctx->dhcp_opts; i < ctx->dhcp_opts_len; i++, opt++) {
 		if (opt->option == *code) {
 			*oopt = opt;
diff --git a/dhcp6.c b/dhcp6.c
index 238acd4..ea37fe3 100644
--- a/dhcp6.c
+++ b/dhcp6.c
@@ -258,7 +258,7 @@ dhcp6_getoption(struct dhcpcd_ctx *ctx,
 		}
 		o = (const struct dhcp6_option *)od;
 		*len = ntohs(o->len);
-		if (*len > ol) {
+		if (*len > ol - *os) {
 			errno = EINVAL;
 			return NULL;
 		}
@@ -266,6 +266,7 @@ dhcp6_getoption(struct dhcpcd_ctx *ctx,
 	} else
 		o = NULL;
 
+	*oopt = NULL;
 	for (i = 0, opt = ctx->dhcp6_opts;
 	    i < ctx->dhcp6_opts_len; i++, opt++)
 	{
-- 
cgit v1.2.3