Simon Horman <[email protected]> wrote:
> > - eq = memchr(opt, '=', opt_len) ?: end;
> > + eq = memchr(opt, '=', opt_len) ?: next_opt;
> > opt_nlen = eq - opt;
> > eq++;
>
> It seems risky to advance eq++ in the case there the value is empty.
> Its not not pointing to the value but it may be accessed twice further on
> in this loop.
>
> > opt_vlen = next_opt - eq; /* will be -1 if no value */
Yes, but note the next line ^^^ and the comment thereon.
This is followed later by a check:
if (opt_vlen <= 0)
goto bad_option_value;
in the dnserror option handler.
Note, also, there is guaranteed to be a NUL char included at the end of the
payload data, and that this is checked:
if (datalen <= 1 || !data || data[datalen - 1] != '\0') {
David
