net: bootp: Prevent out-of-bounds read in dhcp_message_type

dhcp_message_type() scans DHCP options looking for a 0xff
end-of-options marker with no check that the scan pointer stays
within the received packet. A server can send a crafted OFFER with
no 0xff terminator and large option length fields, advancing the
pointer past bp_vend[312] into adjacent heap memory.

This is the same class of bug as CVE-2024-42040, which fixed the
related bootp_process_vendor() call site. Fix it by adding an end
parameter to dhcp_message_type() and checking that popt is lower
than end.

Signed-off-by: Francois Berder <[email protected]>
Reviewed-by: Jerome Forissier <[email protected]>

0 files changed, 0 insertions, 0 deletions