sonic-net · tahmed-dev · Dec 12, 2020 · Nov 29, 2020 · Dec 1, 2020 · Dec 10, 2020
diff --git a/src/isc-dhcp/patch/0011-dhcp-relay-Prevent-Buffer-Overrun.patch b/src/isc-dhcp/patch/0011-dhcp-relay-Prevent-Buffer-Overrun.patch
@@ -0,0 +1,30 @@
+From 19e400c1040e3621db6a0d8dd70d18c431d1a848 Mon Sep 17 00:00:00 2001
+From: Tamer Ahmed <tamer.ahmed@microsoft.com>
+Date: Sat, 28 Nov 2020 16:28:37 -0800
+Subject: [PATCH] [dhcp-relay] Prevent Buffer Overrun
+
+The add/strip relay agent options do not take into account the buffer
+length and so it is possible to overrun the buffer. The issue will
+result in contents from previous packet being added to the current one.
+
+signed-off-by: Tamer Ahmed <tamer.ahmed@microsoft.com>
+---
+ relay/dhcrelay.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/relay/dhcrelay.c b/relay/dhcrelay.c
+index 055d97f..1cd99b9 100644
+--- a/relay/dhcrelay.c
++++ b/relay/dhcrelay.c
+@@ -1527,7 +1527,7 @@ add_relay_agent_options(struct interface_info *ip, struct dhcp_packet *packet,
+ 	/* Commence processing after the cookie. */
+ 	sp = op = &packet->options[4];
+
+-	while (op < max) {
++	while ((op < max) && (op < (((u_int8_t *)packet) + length))) {
+ 		switch(*op) {
+ 			/* Skip padding... */
+ 		      case DHO_PAD:
+-- 
+2.17.1
+
diff --git a/src/isc-dhcp/patch/series b/src/isc-dhcp/patch/series
@@ -9,3 +9,4 @@
 0008-Don-t-skip-down-interfaces-when-discovering-interfac.patch
 0009-Support-for-dual-tor-scenario.patch
 0010-Bugfix-correctly-set-interface-netmask.patch
+0011-dhcp-relay-Prevent-Buffer-Overrun.patch