[PATCH] UPSTREAM: Zero length embedded option

Cherry-picked from
https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/
master/net-misc/dhcpcd/files/patches/dhcpcd-6.8.2-UPSTREAM-Zero-Length-
Embedded-Option.patch.

When we have a zero length for an embedded option, warn if any
more data or not the last option and return the number of
currently processed options. This fixes a potential buffer
overrun for options where the last embedded optional is an
optional string. Thanks to Paul Stewart @ Chromium for the fix.

http://roy.marples.name/projects/dhcpcd/ci/732e88eaa0?sbs=0

BUG: 22956197
Change-Id: I0291624e28fcec8f4d6f3affeb8fec1fff332f19

Reviewed-on: https://chromium-review.googlesource.com/281000

1 files changed, 15 insertions, 3 deletions

diff --git a/dhcp-common.c b/dhcp-common.c
index b0a2012..9ac226a 100644
--- a/dhcp-common.c
+++ b/dhcp-common.c
@@ -846,9 +846,20 @@ dhcp_envoption(struct dhcpcd_ctx *ctx, char **env, const char *prefix,
 	n = 0;
 	for (i = 0, eopt = opt->embopts; i < opt->embopts_len; i++, eopt++) {
 		e = dhcp_optlen(eopt, ol);
-		if (e == 0)
-			/* Report error? */
-			return 0;
+		if (e == 0) {
+			/* An option was expected, but there is not enough
+			 * data for it.
+			 * This may not be an error as some options like
+			 * DHCP FQDN in RFC4702 have a string as the last
+			 * option which is optional.
+			 * FIXME: Add an flag to the options to indicate
+			 * wether this is allowable or not. */
+			 if (ol != 0 || i + 1 < opt->embopts_len)
+				logger(ctx, LOG_WARNING,
+				    "%s: %s: malformed option %d",
+				    ifname, __func__, opt->option);
+			 goto out;
+		}
 		/* Use the option prefix if the embedded option
 		 * name is different.
 		 * This avoids new_fqdn_fqdn which would be silly. */
@@ -901,6 +912,7 @@ dhcp_envoption(struct dhcpcd_ctx *ctx, char **env, const char *prefix,
 		}
 	}
 
+out:
 	if (env)
 		free(pfx);