From 5e224aba6d27024e8d2f5f130f5c767fb0987133 Mon Sep 17 00:00:00 2001
From: Henrik Persson <henrik.persson@securitas-direct.com>
Date: Thu, 30 Aug 2012 13:57:33 +0200
Subject: [PATCH] Segfault in dhcp_parse_reply if no end marker

If no endmarker is present in a dhcp reply a null pointer is potentially
dereferenced.

Add fix and test case as proof of concept.
---
 src/core/dhcp.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/core/dhcp.c b/src/core/dhcp.c
index 70121039..ec649d97 100644
--- a/src/core/dhcp.c
+++ b/src/core/dhcp.c
@@ -1471,8 +1471,14 @@ decode_next:
     if (offset >= q->len) {
       offset -= q->len;
       offset_max -= q->len;
-      q = q->next;
-      options = (u8_t*)q->payload;
+      if (offset < offset_max && offset_max) {
+        q = q->next;
+        LWIP_ASSERT("next pbuf was null", q);
+        options = (u8_t*)q->payload;
+      } else {
+        // We've run out of bytes, probably no end marker. Don't proceed.
+        break;
+      }
     }
   }
   /* is this an overloaded message? */