From cc0f0662679a81185b8467efef4347cd7a686c31 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nikodem=20Rabuli=C5=84ski?= Date: Wed, 16 Apr 2025 23:07:49 +0200 Subject: [PATCH] Return early from parsing DHCP response if End is encoutered MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Up until now DHCP response was parsed by reading the option and the length first. The length field obviously does not apply to the End option, so if muvm got a response that ended exactly at the End byte, muvm would crash because of an out-of-bound read. Signed-off-by: Nikodem RabuliƄski --- crates/muvm/src/guest/net.rs | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/crates/muvm/src/guest/net.rs b/crates/muvm/src/guest/net.rs index 1656e88e..dec04cc1 100644 --- a/crates/muvm/src/guest/net.rs +++ b/crates/muvm/src/guest/net.rs @@ -171,6 +171,12 @@ fn do_dhcp(rtnl: &NlRouter) -> Result<()> { while p < len { let o = msg[p]; + + if o == 0xff { + // Option 255: End (of options) + break; + } + let l: u8 = msg[p + 1]; p += 2; // Length doesn't include code and length field itself @@ -195,9 +201,6 @@ fn do_dhcp(rtnl: &NlRouter) -> Result<()> { // We don't know yet if IPv6 is available: don't go below 1280 B mtu = mtu.clamp(1280, 65520); - } else if o == 0xff { - // Option 255: End (of options) - break; } p += l as usize;