The following commit has been merged in the master branch: commit 459c4e49ba2d590ebd9e15c2f9688fd687d077b6 Author: Antonio Quartulli ordex@autistici.org Date: Mon Feb 27 11:29:53 2012 +0100
batman-adv: fix wrong dhcp option list browsing
In is_type_dhcprequest(), while parsing a DHCP message, if the entry we found in the option list is neither a padding nor the dhcp-type, we have to ignore it and jump as many bytes as its length + 1. The "+ 1" byte is given by the subtype field itself that has to be jumped too.
Reported-by: Marek Lindner lindner_marek@yahoo.de Signed-off-by: Antonio Quartulli ordex@autistici.org
diff --git a/gateway_client.c b/gateway_client.c index 65a77a1..1f7e92d 100644 --- a/gateway_client.c +++ b/gateway_client.c @@ -563,10 +563,10 @@ static bool is_type_dhcprequest(struct sk_buff *skb, int header_len) p++;
/* ...and then we jump over the data */ - if (pkt_len < *p) + if (pkt_len < 1 + (*p)) goto out; - pkt_len -= *p; - p += (*p); + pkt_len -= 1 + (*p); + p += 1 + (*p); } } out: