From 1bac167e2dfa3607bb987275259e7c0e028c90c0 Mon Sep 17 00:00:00 2001 From: hyung-hwan Date: Tue, 26 Jul 2022 07:37:29 +0000 Subject: [PATCH] fixed a boundary check bug in qse_dhcp6_find_option() --- qse/lib/dhcp/dhcp6msg.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/qse/lib/dhcp/dhcp6msg.c b/qse/lib/dhcp/dhcp6msg.c index 6f2ea88b..9a83197b 100644 --- a/qse/lib/dhcp/dhcp6msg.c +++ b/qse/lib/dhcp/dhcp6msg.c @@ -4,7 +4,7 @@ qse_dhcp6_opt_hdr_t* qse_dhcp6_find_option (const qse_dhcp6_pktinf_t* pkt, int code) { qse_dhcp6_opt_hdr_t* opt; - qse_size_t rem; + qse_size_t rem, opt_len; if (pkt->len < QSE_SIZEOF(qse_dhcp6_pkt_hdr_t)) return QSE_NULL; @@ -29,7 +29,9 @@ qse_dhcp6_opt_hdr_t* qse_dhcp6_find_option (const qse_dhcp6_pktinf_t* pkt, int c return opt; } - rem -= QSE_SIZEOF(qse_dhcp6_opt_hdr_t) + qse_ntoh16(opt->len); + opt_len = QSE_SIZEOF(qse_dhcp6_opt_hdr_t) + qse_ntoh16(opt->len); + if (rem < opt_len) break; + rem -= opt_len; opt = (qse_dhcp6_opt_hdr_t*)((qse_uint8_t*)(opt + 1) + qse_ntoh16(opt->len)); }