From cbbda0959921f2350a51dc0b342c00a1624ba2bd Mon Sep 17 00:00:00 2001
From: Tamer Ahmed <tamer.ahmed@microsoft.com>
Date: Fri, 11 Dec 2020 16:28:05 -0800
Subject: [PATCH] [relay]: Prevent Buffer Overrun Of Malformed DHCP Packet
 (#6057)

[dhcp-relay]: Prevent Buffer Overrun Of Malformed DHCP Packet

The add/strip relay agent options does not take into account the buffer
length and so it is possible to overrun the buffer. The issue will
result in contents from previous packet being added to the current one.

signed-off-by: Tamer Ahmed <tamer.ahmed@microsoft.com>
---
 ...11-dhcp-relay-Prevent-Buffer-Overrun.patch | 30 +++++++++++++++++++
 src/isc-dhcp/patch/series                     |  1 +
 2 files changed, 31 insertions(+)
 create mode 100644 src/isc-dhcp/patch/0011-dhcp-relay-Prevent-Buffer-Overrun.patch

diff --git a/src/isc-dhcp/patch/0011-dhcp-relay-Prevent-Buffer-Overrun.patch b/src/isc-dhcp/patch/0011-dhcp-relay-Prevent-Buffer-Overrun.patch
new file mode 100644
index 000000000..fda59d9e6
--- /dev/null
+++ b/src/isc-dhcp/patch/0011-dhcp-relay-Prevent-Buffer-Overrun.patch
@@ -0,0 +1,30 @@
+From 19e400c1040e3621db6a0d8dd70d18c431d1a848 Mon Sep 17 00:00:00 2001
+From: Tamer Ahmed <tamer.ahmed@microsoft.com>
+Date: Sat, 28 Nov 2020 16:28:37 -0800
+Subject: [PATCH] [dhcp-relay] Prevent Buffer Overrun
+
+The add/strip relay agent options do not take into account the buffer
+length and so it is possible to overrun the buffer. The issue will
+result in contents from previous packet being added to the current one.
+
+signed-off-by: Tamer Ahmed <tamer.ahmed@microsoft.com>
+---
+ relay/dhcrelay.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/relay/dhcrelay.c b/relay/dhcrelay.c
+index 055d97f..1cd99b9 100644
+--- a/relay/dhcrelay.c
++++ b/relay/dhcrelay.c
+@@ -1527,7 +1527,7 @@ add_relay_agent_options(struct interface_info *ip, struct dhcp_packet *packet,
+ 	/* Commence processing after the cookie. */
+ 	sp = op = &packet->options[4];
+ 
+-	while (op < max) {
++	while ((op < max) && (op < (((u_int8_t *)packet) + length))) {
+ 		switch(*op) {
+ 			/* Skip padding... */
+ 		      case DHO_PAD:
+-- 
+2.17.1
+
diff --git a/src/isc-dhcp/patch/series b/src/isc-dhcp/patch/series
index 30646e9cc..a34b5bf4b 100644
--- a/src/isc-dhcp/patch/series
+++ b/src/isc-dhcp/patch/series
@@ -9,3 +9,4 @@
 0008-Don-t-skip-down-interfaces-when-discovering-interfac.patch
 0009-Support-for-dual-tor-scenario.patch
 0010-Bugfix-correctly-set-interface-netmask.patch
+0011-dhcp-relay-Prevent-Buffer-Overrun.patch