Fix DoS vulnerability in DHO_OPTIONSOVERLOADED.

lcolitti · andi34 · commit 61ea854f549b · 2016-04-08T19:27:33.000+02:00
Bug: 16677003
Change-Id: I6ac3318c04fa99d964e15aa2f06a5794daf61c7e
(cherry picked from commit eae50520f9880b7ffc25a22f39df8013c34768bc)
diff --git a/dhcp.c b/dhcp.c
@@ -352,7 +352,7 @@ get_option(const struct dhcp_message *dhcp, uint8_t opt, int *len, int *type)
 		case DHO_OPTIONSOVERLOADED:
 			/* Ensure we only get this option once */
 			if (!overl)
-				overl = p[1];
+				overl = 0x80 | p[1];
 			break;
 		}
 		l = *p++;

Original file line number	Diff line number	Diff line change
`@@ -352,7 +352,7 @@ get_option(const struct dhcp_message dhcp, uint8_t opt, int len, int *type)`
`352`	`352`	`case DHO_OPTIONSOVERLOADED:`
`353`	`353`	`/* Ensure we only get this option once */`
`354`	`354`	`if (!overl)`
`355`		`- overl = p[1];`
	`355`	`+ overl = 0x80 \| p[1];`
`356`	`356`	`break;`
`357`	`357`	`}`
`358`	`358`	`l = *p++;`