From 7f8c8078a123a2bbf7ce0eff7831c078cb3f8647 Mon Sep 17 00:00:00 2001 From: Beniamino Galvani Date: Wed, 24 Nov 2021 16:57:23 +0100 Subject: [PATCH] dhcp: accept IPv4-address options longer than expected Some DHCP servers send duplicate options, and we concatenate them according to RFC 3396 section 7. Therefore, it's possible that a option carrying a IPv4 address has a length > 4. See also commit 1cbf9d22a5f6 ('n-dhcp4: accept options that are longer than requested') which did something similar in the nettools client. https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/848 https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1034 --- src/core/dhcp/nm-dhcp-utils.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/core/dhcp/nm-dhcp-utils.c b/src/core/dhcp/nm-dhcp-utils.c index a167673598..72a77cfe9e 100644 --- a/src/core/dhcp/nm-dhcp-utils.c +++ b/src/core/dhcp/nm-dhcp-utils.c @@ -1010,7 +1010,11 @@ nm_dhcp_lease_data_parse_in_addr(const guint8 *data, gsize n_data, in_addr_t *ou * - option 28, https://tools.ietf.org/html/rfc2132#section-5.3 */ - if (n_data != 4) + /* Some DHCP servers send duplicate options, and we concatenate them + * according to RFC 3396 section 7. Therefore, it's possible that a + * option carrying a IPv4 address has a length > 4. + */ + if (n_data < 4) return FALSE; *out_val = unaligned_read_ne32(data);