dhcp.c: further improve validation

Add 2 more length/bounds checks with thanks to
Guido Vranken <guido@guidovranken.com>

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>

diff --git a/dhcp.c b/dhcp.c
index 4dbdece5ac0144dfaa2b19ea8fb2217b8e48bf09..b68508688358e899799b7547d68b077391132d3f 100644 (file)
--- a/dhcp.c
+++ b/dhcp.c
@@ -94,6 +94,8 @@ parse_dhcp_options(struct relayd_host *host, struct dhcp_header *dhcp, int len)
                        break;
 
                opt = (void *) &opt->data[opt->len];
+               if ((uint8_t *) opt + sizeof(*opt) > end )
+                       break;
                switch(opt->code) {
                case DHCP_OPTION_ROUTER:
                        DPRINTF(2, "Found a DHCP router option, len=%d\n", opt->len);
@@ -137,7 +139,8 @@ bool relayd_handle_dhcp_packet(struct relayd_interface *rif, void *data, int len
        udp = (void *) ((char *) &pkt->iph + (pkt->iph.ihl << 2));
        dhcp = (void *) (udp + 1);
 
-       if ((uint8_t *)udp + sizeof(*udp) > (uint8_t *)data + len )
+       if ((uint8_t *)udp  + sizeof(*udp)  > (uint8_t *)data + len ||
+           (uint8_t *)dhcp + sizeof(*dhcp) > (uint8_t *)data + len)
                return false;
 
        udplen = ntohs(udp->len);