From: Antonio Quartulli Date: Mon, 27 Feb 2012 10:29:53 +0000 (+0100) Subject: batman-adv: fix wrong dhcp option list browsing X-Git-Tag: firefly_0821_release~3680^2~2787^2~106^2~14 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=9205cc521ec74bd510857a464d4ac4edee949bfd;p=firefly-linux-kernel-4.4.55.git batman-adv: fix wrong dhcp option list browsing In is_type_dhcprequest(), while parsing a DHCP message, if the entry we found in the option list is neither a padding nor the dhcp-type, we have to ignore it and jump as many bytes as its length + 1. The "+ 1" byte is given by the subtype field itself that has to be jumped too. Reported-by: Marek Lindner Signed-off-by: Antonio Quartulli --- diff --git a/net/batman-adv/gateway_client.c b/net/batman-adv/gateway_client.c index 6f9b9b78f77d..47f7186dcefc 100644 --- a/net/batman-adv/gateway_client.c +++ b/net/batman-adv/gateway_client.c @@ -558,10 +558,10 @@ static bool is_type_dhcprequest(struct sk_buff *skb, int header_len) p++; /* ...and then we jump over the data */ - if (pkt_len < *p) + if (pkt_len < 1 + (*p)) goto out; - pkt_len -= *p; - p += (*p); + pkt_len -= 1 + (*p); + p += 1 + (*p); } } out: