From f4d759be54ceb37714e9a6ca320d5b50c95e9ce9 Mon Sep 17 00:00:00 2001
From: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Date: Fri, 24 Apr 2020 11:18:26 +0100
Subject: [PATCH] dhcp.c: further improve validation

Add 2 more length/bounds checks with thanks to
Guido Vranken <guido@guidovranken.com>

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
---
 dhcp.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/dhcp.c b/dhcp.c
index 4dbdece..b685086 100644
--- a/dhcp.c
+++ b/dhcp.c
@@ -94,6 +94,8 @@ parse_dhcp_options(struct relayd_host *host, struct dhcp_header *dhcp, int len)
 			break;
 
 		opt = (void *) &opt->data[opt->len];
+		if ((uint8_t *) opt + sizeof(*opt) > end )
+			break;
 		switch(opt->code) {
 		case DHCP_OPTION_ROUTER:
 			DPRINTF(2, "Found a DHCP router option, len=%d\n", opt->len);
@@ -137,7 +139,8 @@ bool relayd_handle_dhcp_packet(struct relayd_interface *rif, void *data, int len
 	udp = (void *) ((char *) &pkt->iph + (pkt->iph.ihl << 2));
 	dhcp = (void *) (udp + 1);
 
-	if ((uint8_t *)udp + sizeof(*udp) > (uint8_t *)data + len )
+	if ((uint8_t *)udp  + sizeof(*udp)  > (uint8_t *)data + len ||
+	    (uint8_t *)dhcp + sizeof(*dhcp) > (uint8_t *)data + len)
 		return false;
 
 	udplen = ntohs(udp->len);
-- 
2.25.1