dhcp: Always send DHCP_OPT_LEN bytes in options

Git-commit: d7fb54218424c3b2517aee5b391ced0f75386a5d
References: bsc#1187364, CVE-2021-3592

RFC2131 suggests that the options field may be at least 312 bytes.
Some DHCP clients seem to assume that it has to be at least 312 bytes.

Fixes #51
Fixes: f13cad45b25d92760bb0ad67bec0300a4d7d5275 ("bootp: limit
vendor-specific area to input packet memory buffer")

Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Signed-off-by: Jose R Ziviani <jose.ziviani@suse.com>

diff --git a/slirp/src/bootp.c b/slirp/src/bootp.c
index cafa1eb1f36ad010c36f2fbb343efce9caf1eeb7..d78d61b44cdcb47ba7f7019bdffb18ecb5b61a63 100644 (file)
--- a/slirp/src/bootp.c
+++ b/slirp/src/bootp.c
@@ -355,11 +355,13 @@ static void bootp_reply(Slirp *slirp,
         q += sizeof(nak_msg) - 1;
     }
     assert(q < end);
-    *q = RFC1533_END;
+    *q++ = RFC1533_END;
 
     daddr.sin_addr.s_addr = 0xffffffffu;
 
-    m->m_len = sizeof(struct bootp_t) - sizeof(struct ip) - sizeof(struct udphdr);
+    assert(q <= end);
+
+    m->m_len = sizeof(struct bootp_t) + (end - rbp->bp_vend) - sizeof(struct ip) - sizeof(struct udphdr);
     udp_output(NULL, m, &saddr, &daddr, IPTOS_LOWDELAY);
 }