From ff44b92c9641ffae799a5e12f88eb42294f24f2f Mon Sep 17 00:00:00 2001
From: cinap_lenrek <cinap_lenrek@felloff.net>
Date: Tue, 22 Oct 2019 06:53:50 +0200
Subject: ip/dhcpd: prevent client from increasing max reply size beyond the
 reply buffer capacity

---
 sys/src/cmd/ip/dhcpd/dhcpd.c | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/sys/src/cmd/ip/dhcpd/dhcpd.c b/sys/src/cmd/ip/dhcpd/dhcpd.c
index ee2a7ebaf..7ca52a049 100644
--- a/sys/src/cmd/ip/dhcpd/dhcpd.c
+++ b/sys/src/cmd/ip/dhcpd/dhcpd.c
@@ -1078,17 +1078,22 @@ parseoptions(Req *rp)
 				v4tov6(rp->server, o);
 			break;
 		case ODmessage:
-			if(n > sizeof rp->msg-1)
-				n = sizeof rp->msg-1;
+			if(n > sizeof(rp->msg)-1)
+				n = sizeof(rp->msg)-1;
 			memmove(rp->msg, o, n);
 			rp->msg[n] = 0;
 			break;
 		case ODmaxmsg:
+			if(n < 2)
+				break;
 			c = nhgets(o);
-			c -= 28;
+			c -= IPUDPHDRSIZE;
+			if(c <= 0)
+				break;
 			c += Udphdrsize;
-			if(c > 0)
-				rp->max = rp->buf + c;
+			if(c > sizeof(rp->buf))
+				c = sizeof(rp->buf);
+			rp->max = rp->buf + c;
 			break;
 		case ODclientid:
 			if(n <= 1)
-- 
cgit v1.2.3