Index: options.c
===================================================================
RCS file: /home/ncvs/src/contrib/isc-dhcp/common/options.c,v
retrieving revision 1.1.1.8
diff -u -r1.1.1.8 options.c
--- options.c	16 Jan 2003 07:04:50 -0000	1.1.1.8
+++ options.c	3 Jul 2003 04:32:32 -0000
@@ -124,7 +124,7 @@
 	unsigned char *t;
 	const unsigned char *end = buffer + length;
 	unsigned len, offset;
-	int code;
+	int code, rlen;
 	struct option_cache *op = (struct option_cache *)0;
 	struct buffer *bp = (struct buffer *)0;
 
@@ -145,6 +145,7 @@
 		/* Don't look for length if the buffer isn't that big. */
 		if (offset + 2 > length) {
 			len = 65536;
+			rlen = -1;
 			goto bogus;
 		}
 
@@ -153,13 +154,18 @@
 		len = buffer [offset + 1];
 
 		/* If the length is outrageous, the options are bad. */
-		if (offset + len + 2 > length) {
+		rlen = length - offset - 2;
+		if (rlen < len) {
 		      bogus:
 			log_error ("parse_option_buffer: option %s (%d) %s.",
 				   dhcp_options [code].name, len,
 				   "larger than buffer");
-			buffer_dereference (&bp, MDL);
-			return 0;
+			if (rlen < 0) {
+				buffer_dereference (&bp, MDL);
+				return 0;
+			}
+			/* XXX fixup */
+			len = rlen;
 		}
 
 		/* If the option contains an encapsulation, parse it.   If