diff -up dhcp-4.2.1-P1/common/discover.c.CVE-2011-2748-2749 dhcp-4.2.1-P1/common/discover.c --- dhcp-4.2.1-P1/common/discover.c.CVE-2011-2748-2749 2011-08-11 09:31:41.105937401 +0200 +++ dhcp-4.2.1-P1/common/discover.c 2011-08-11 09:31:41.217936038 +0200 @@ -1389,12 +1389,16 @@ isc_result_t got_one (h) if (result == 0) return ISC_R_UNEXPECTED; - /* If we didn't at least get the fixed portion of the BOOTP - packet, drop the packet. We're allowing packets with no - sname or filename, because we're aware of at least one - client that sends such packets, but this definitely falls - into the category of being forgiving. */ - if (result < DHCP_FIXED_NON_UDP - DHCP_SNAME_LEN - DHCP_FILE_LEN) + /* + * If we didn't at least get the fixed portion of the BOOTP + * packet, drop the packet. + * Previously we allowed packets with no sname or filename + * as we were aware of at least one client that did. But + * a bug caused short packets to not work and nobody has + * complained, it seems rational to tighten up that + * restriction. + */ + if (result < DHCP_FIXED_NON_UDP) return ISC_R_UNEXPECTED; if (bootp_packet_handler) { diff -up dhcp-4.2.1-P1/common/options.c.CVE-2011-2748-2749 dhcp-4.2.1-P1/common/options.c --- dhcp-4.2.1-P1/common/options.c.CVE-2011-2748-2749 2011-08-11 09:31:41.160936728 +0200 +++ dhcp-4.2.1-P1/common/options.c 2011-08-11 09:31:41.218936026 +0200 @@ -592,8 +592,8 @@ cons_options(struct packet *inpacket, st } else if (bootpp) { mb_size = 64; if (inpacket != NULL && - (inpacket->packet_length - DHCP_FIXED_LEN >= 64)) - mb_size = inpacket->packet_length - DHCP_FIXED_LEN; + (inpacket->packet_length >= 64 + DHCP_FIXED_NON_UDP)) + mb_size = inpacket->packet_length - DHCP_FIXED_NON_UDP; } else mb_size = DHCP_MIN_OPTION_LEN; diff -up dhcp-4.2.1-P1/server/dhcp.c.CVE-2011-2748-2749 dhcp-4.2.1-P1/server/dhcp.c --- dhcp-4.2.1-P1/server/dhcp.c.CVE-2011-2748-2749 2011-08-11 09:31:41.034938265 +0200 +++ dhcp-4.2.1-P1/server/dhcp.c 2011-08-11 09:31:41.220936002 +0200 @@ -2336,6 +2336,7 @@ void ack_lease (packet, lease, offer, wh * giaddr. */ if (!packet->agent_options_stashed && + (packet->options != NULL) && packet->options->universe_count > agent_universe.index && packet->options->universes[agent_universe.index] != NULL) { oc = lookup_option (&server_universe, state -> options, @@ -4448,6 +4449,7 @@ maybe_return_agent_options(struct packet * by the user into the new state, not just give up. */ if (!packet->agent_options_stashed && + (packet->options != NULL) && packet->options->universe_count > agent_universe.index && packet->options->universes[agent_universe.index] != NULL && (options->universe_count <= agent_universe.index ||