From 4a5f55a5dec707e7379a5332e40192509324182c Mon Sep 17 00:00:00 2001
From: Michael Stapelberg <stapelberg@google.com>
Date: Wed, 27 May 2020 09:50:04 +0200
Subject: [PATCH] defense in depth: verify hex.DecodeString length

related to #49
---
 internal/dhcp4d/dhcp4d.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/internal/dhcp4d/dhcp4d.go b/internal/dhcp4d/dhcp4d.go
index a49726b..2bf2ea7 100644
--- a/internal/dhcp4d/dhcp4d.go
+++ b/internal/dhcp4d/dhcp4d.go
@@ -255,6 +255,10 @@ func (h *Handler) leasePeriodForDevice(hwAddr string) time.Duration {
 	if err != nil {
 		return h.LeasePeriod
 	}
+	if len(hwAddrPrefix) != 6 {
+		// Invalid MAC address
+		return h.LeasePeriod
+	}
 	hwAddrPrefix = hwAddrPrefix[:3]
 	i := sort.Search(len(nintendoMacPrefixes), func(i int) bool {
 		return bytes.Compare(nintendoMacPrefixes[i][:], hwAddrPrefix) >= 0