mirror of
https://github.com/pi-hole/dnsmasq.git
synced 2025-12-19 10:18:25 +00:00
591ed1e905
The check that there's enough space to store the DHCP agent-id at the end of the packet could succeed when it should fail if the END option is in either of the oprion-overload areas. That could overwrite legit options in the request and cause bad behaviour. It's highly unlikely that any sane DHCP client would trigger this bug, and it's never been seen, but this fixes the problem. Also fix off-by-one in bounds checking of option processing. Worst case scenario on that is a read one byte beyond the end off a buffer with a crafted packet, and maybe therefore a SIGV crash if the memory after the buffer is not mapped. Thanks to Timothy Becker for spotting these.