From 76a9d0f1713a39471ea6c85e982fb0b447ef1315 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Mon, 30 May 2016 18:28:51 +0200 Subject: dhcp-server: fix integer underflow Let's better ignore an invalid message size parameter, than assume ridiculously larger sizes. --- src/libsystemd-network/sd-dhcp-server.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'src/libsystemd-network') diff --git a/src/libsystemd-network/sd-dhcp-server.c b/src/libsystemd-network/sd-dhcp-server.c index a1af5da40f..ea4f03df1d 100644 --- a/src/libsystemd-network/sd-dhcp-server.c +++ b/src/libsystemd-network/sd-dhcp-server.c @@ -633,7 +633,8 @@ static int parse_request(uint8_t code, uint8_t len, const void *option, void *us break; case SD_DHCP_OPTION_MAXIMUM_MESSAGE_SIZE: - if (len == 2) + + if (len == 2 && unaligned_read_be16(option) >= sizeof(DHCPPacket)) req->max_optlen = unaligned_read_be16(option) - sizeof(DHCPPacket); break; -- cgit v1.2.3-54-g00ecf