From be37986a0fe72c5776d88b6fb7b1381ddb93189e Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sun, 23 Dec 2012 12:01:39 +0000
Subject: [PATCH] Better error checking in DHCPv6 dhcp-range option parsing.

---
 src/option.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/option.c b/src/option.c
index 59be9d4..0f0f3cb 100644
--- a/src/option.c
+++ b/src/option.c
@@ -2371,6 +2371,13 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
 			a[leasepos][strlen(a[leasepos]) - 1] = 0;
 		      }
 		    
+		    for (cp = a[leasepos]; *cp; cp++)
+		      if (!(*cp >= '0' && *cp <= '9'))
+			break;
+
+		    if (!cp || (leasepos+1 < k))
+		      ret_err(_("bad dhcp-range"));
+		    
 		    new->lease_time = atoi(a[leasepos]) * fac;
 		    /* Leases of a minute or less confuse
 		       some clients, notably Apple's */