Segfault in dhcp_parse_reply if no end marker

If no endmarker is present in a dhcp reply a null pointer is potentially dereferenced. Add fix and test case as proof of concept.
2024-11-16 14:11:02 +00:00 · 2012-08-30 13:57:33 +02:00 · 2012-08-30 13:57:33 +02:00 · 5e224aba6d
commit 5e224aba6d
parent 6b3179fbbf
1 changed files with 8 additions and 2 deletions
--- a/src/core/dhcp.c
+++ b/src/core/dhcp.c
@ -1471,8 +1471,14 @@ decode_next:
    if (offset >= q->len) {
      offset -= q->len;
      offset_max -= q->len;
-      q = q->next;
-      options = (u8_t*)q->payload;
+      if (offset < offset_max && offset_max) {
+        q = q->next;
+        LWIP_ASSERT("next pbuf was null", q);
+        options = (u8_t*)q->payload;
+      } else {
+        // We've run out of bytes, probably no end marker. Don't proceed.
+        break;
+      }
    }
  }
  /* is this an overloaded message? */