From 8d11b33f6c60e2db257130fa383ba76b6018bcf6 Mon Sep 17 00:00:00 2001
From: Roy Marples <roy@marples.name>
Date: Fri, 19 Apr 2019 09:45:02 +0100
Subject: [PATCH] DHCPv6: Fix a potential buffer overflow reading NA/TA
 addresses

Only copy upto the size of the address option rather than the
option length.

Found by Maxime Villard <max@m00nbsd.net>
---
 src/dhcp6.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/dhcp6.c b/src/dhcp6.c
index 99a452bb..8fc4f000 100644
--- a/src/dhcp6.c
+++ b/src/dhcp6.c
@@ -2029,12 +2029,12 @@ dhcp6_findna(struct interface *ifp, uint16_t ot, const uint8_t *iaid,
 		nd = o + ol;
 		l -= (size_t)(nd - d);
 		d = nd;
-		if (ol < 24) {
+		if (ol < sizeof(ia)) {
 			errno = EINVAL;
 			logerrx("%s: IA Address option truncated", ifp->name);
 			continue;
 		}
-		memcpy(&ia, o, ol);
+		memcpy(&ia, o, sizeof(ia));
 		ia.pltime = ntohl(ia.pltime);
 		ia.vltime = ntohl(ia.vltime);
 		/* RFC 3315 22.6 */
-- 
2.21.0