mirror/lwip
1
0
Fork 0
mirror of https://github.com/lwip-tcpip/lwip.git synced 2024-09-28 23:00:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Segfault in dhcp_parse_reply if no end marker

Browse Source 
If no endmarker is present in a dhcp reply a null pointer is potentially
dereferenced.

Add fix and test case as proof of concept.
This commit is contained in:
Henrik Persson 2012-08-30 13:57:33 +02:00 committed by goldsimon
parent 6b3179fbbf
commit 5e224aba6d
1 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/core/dhcp.c
View File

@ -1471,8 +1471,14 @@ decode_next:
if (offset >= q->len) { if (offset >= q->len) {
offset -= q->len; offset -= q->len;
offset_max -= q->len; offset_max -= q->len;
if (offset < offset_max && offset_max) {
q = q->next; q = q->next;
LWIP_ASSERT("next pbuf was null", q);
options = (u8_t*)q->payload; options = (u8_t*)q->payload;
} else {
// We've run out of bytes, probably no end marker. Don't proceed.
break;
}
} }
} }
/* is this an overloaded message? */ /* is this an overloaded message? */