DHCPv6: catch the NTP server suboptions being longer than the whole packet

A router here sends the type and length of suboptions of the NTP Server
option in dhcpv6 replies in little endian. So the NTP Server option
looks like:

	01:00:10:00:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:ff:fe:xx:xx:xx

instead of

	00:01:00:10:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:ff:fe:xx:xx:xx

. This makes the dissector throw an exception "Malformed Packet" which
results in the following options not being dissected.

So check the suboption's length before adding the subtree. This improves
diagnostics ("suboption too long" instead of "Malformed Packet") and
results in the suboptions after the bogus one being parsed.

Bug: 15542
Change-Id: Ifbafc23b3dbb7ca389b89936e9d1d15ecc82396e
Reviewed-on: https://code.wireshark.org/review/32223
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Dario Lombardo <lomato@gmail.com>

epan/dissectors/packet-dhcpv6.c

@@ -1496,6 +1496,10 @@ dhcpv6_option(tvbuff_t *tvb, packet_info *pinfo, proto_tree *bp_tree,
         while (optlen > temp_optlen) {
             subopt_type = tvb_get_ntohs(tvb, off + temp_optlen);
             subopt_len = tvb_get_ntohs(tvb,  off + 2 + temp_optlen);
+            if (subopt_len > optlen - temp_optlen) {
+                expert_add_info_format(pinfo, option_item, &ei_dhcpv6_malformed_option, "NFS Server: suboption too long");
+                break;
+            }
             subtree_2 = proto_tree_add_subtree(subtree, tvb, off+temp_optlen, 4 + subopt_len, ett_dhcpv6_netserver_option, &ti,
                                      val_to_str(subopt_type, ntp_server_opttype_vals, "NTP Server suboption %u"));
             proto_tree_add_item(subtree_2, hf_option_ntpserver_type,   tvb, off + temp_optlen,     2, ENC_BIG_ENDIAN);