diff options
author | Antonio Quartulli <ordex@autistici.org> | 2012-02-27 11:29:53 +0100 |
---|---|---|
committer | Antonio Quartulli <ordex@autistici.org> | 2012-05-11 10:08:08 +0200 |
commit | 9205cc521ec74bd510857a464d4ac4edee949bfd (patch) | |
tree | ddc2e18bc62e0b8123df5c2ae956741e33222180 /net/batman-adv | |
parent | 06a4c1c55dbe5d9f7a708e8f1a52fd2ac8e5874f (diff) |
batman-adv: fix wrong dhcp option list browsing
In is_type_dhcprequest(), while parsing a DHCP message, if the entry we found in
the option list is neither a padding nor the dhcp-type, we have to ignore it and
jump as many bytes as its length + 1. The "+ 1" byte is given by the subtype
field itself that has to be jumped too.
Reported-by: Marek Lindner <lindner_marek@yahoo.de>
Signed-off-by: Antonio Quartulli <ordex@autistici.org>
Diffstat (limited to 'net/batman-adv')
-rw-r--r-- | net/batman-adv/gateway_client.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/net/batman-adv/gateway_client.c b/net/batman-adv/gateway_client.c index 6f9b9b78f77..47f7186dcef 100644 --- a/net/batman-adv/gateway_client.c +++ b/net/batman-adv/gateway_client.c @@ -558,10 +558,10 @@ static bool is_type_dhcprequest(struct sk_buff *skb, int header_len) p++; /* ...and then we jump over the data */ - if (pkt_len < *p) + if (pkt_len < 1 + (*p)) goto out; - pkt_len -= *p; - p += (*p); + pkt_len -= 1 + (*p); + p += 1 + (*p); } } out: |