[PATCH] UPSTREAM: Ensure that option length fits inside data length less option sizebrillo-m9-releasebrillo-m9-dev

Ensure that option length fits inside data length less option size.
Thanks to Nico Golde for the report. Fixes CVE-2016-1504

http://roy.marples.name/projects/dhcpcd/ci/595883e2a431f65d?sbs=1

BUG: 26461547
Change-Id: I8bbb01eda998a0d7e552dcd4bf22db14c796d90e

2 files changed, 4 insertions, 2 deletions

diff --git a/dhcp.c b/dhcp.c
index 5bb16b9..f1cdc36 100644
--- a/dhcp.c
+++ b/dhcp.c
@@ -1257,12 +1257,13 @@ dhcp_getoption(struct dhcpcd_ctx *ctx,
 		*os = 2; /* code + len */
 		*code = (unsigned int)*od++;
 		*len = (size_t)*od++;
-		if (*len > ol) {
+		if (*len > ol - *os) {
 			errno = EINVAL;
 			return NULL;
 		}
 	}
 
+	*oopt = NULL;
 	for (i = 0, opt = ctx->dhcp_opts; i < ctx->dhcp_opts_len; i++, opt++) {
 		if (opt->option == *code) {
 			*oopt = opt;
diff --git a/dhcp6.c b/dhcp6.c
index 238acd4..ea37fe3 100644
--- a/dhcp6.c
+++ b/dhcp6.c
@@ -258,7 +258,7 @@ dhcp6_getoption(struct dhcpcd_ctx *ctx,
 		}
 		o = (const struct dhcp6_option *)od;
 		*len = ntohs(o->len);
-		if (*len > ol) {
+		if (*len > ol - *os) {
 			errno = EINVAL;
 			return NULL;
 		}
@@ -266,6 +266,7 @@ dhcp6_getoption(struct dhcpcd_ctx *ctx,
 	} else
 		o = NULL;
 
+	*oopt = NULL;
 	for (i = 0, opt = ctx->dhcp6_opts;
 	    i < ctx->dhcp6_opts_len; i++, opt++)
 	{