batman-adv: fix wrong dhcp option list browsing

In is_type_dhcprequest(), while parsing a DHCP message, if the entry we found in
the option list is neither a padding nor the dhcp-type, we have to ignore it and
jump as many bytes as its length + 1. The "+ 1" byte is given by the subtype
field itself that has to be jumped too.

Reported-by: Marek Lindner <lindner_marek@yahoo.de>
Signed-off-by: Antonio Quartulli <ordex@autistici.org>

diff --git a/net/batman-adv/gateway_client.c b/net/batman-adv/gateway_client.c
index 6f9b9b78f77d253396cfc9fab961d7dcb656c1ff..47f7186dcefcdce2e090e80660ed8bb6dba369c2 100644 (file)
--- a/net/batman-adv/gateway_client.c
+++ b/net/batman-adv/gateway_client.c
@@ -558,10 +558,10 @@ static bool is_type_dhcprequest(struct sk_buff *skb, int header_len)
                        p++;
 
                        /* ...and then we jump over the data */
-                       if (pkt_len < *p)
+                       if (pkt_len < 1 + (*p))
                                goto out;
-                       pkt_len -= *p;
-                       p += (*p);
+                       pkt_len -= 1 + (*p);
+                       p += 1 + (*p);
                }
        }
 out: