Commit e2624b82 authored by Evan Hunt's avatar Evan Hunt
Browse files

- Reworked cons_options() and store_options() to fix a buffer

  overflow that could result in a DoS (CVS 2007-0062).  Also general
  code tidying. [rt17090]
- Also fixed a spurious error message on the client. [rt17250]
parent 6b911c86
......@@ -1410,7 +1410,7 @@ struct client_lease *packet_to_lease (packet, client)
if (!(i & 2) && packet -> raw -> sname [0]) {
unsigned len;
/* Don't count on the NUL terminator. */
for (len = 0; len < 64; len++)
for (len = 0; len < DHCP_SNAME_LEN; len++)
if (!packet -> raw -> sname [len])
break;
lease -> server_name = dmalloc (len + 1, MDL);
......@@ -1429,7 +1429,7 @@ struct client_lease *packet_to_lease (packet, client)
if (!(i & 1) && packet -> raw -> file [0]) {
unsigned len;
/* Don't count on the NUL terminator. */
for (len = 0; len < 64; len++)
for (len = 0; len < DHCP_FILE_LEN; len++)
if (!packet -> raw -> file [len])
break;
lease -> filename = dmalloc (len + 1, MDL);
......
This diff is collapsed.
......@@ -34,17 +34,19 @@
#define DHCP_H
#define DHCP_UDP_OVERHEAD (20 + /* IP header */ \
8) /* UDP header */
8) /* UDP header */
#define DHCP_SNAME_LEN 64
#define DHCP_FILE_LEN 128
#define DHCP_FIXED_NON_UDP 236
#define DHCP_FIXED_LEN (DHCP_FIXED_NON_UDP + DHCP_UDP_OVERHEAD)
/* Everything but options. */
#define BOOTP_MIN_LEN 300
#define DHCP_MTU_MAX 1500
#define DHCP_OPTION_LEN (DHCP_MTU_MAX - DHCP_FIXED_LEN)
#define DHCP_MTU_MIN 576
#define BOOTP_MIN_LEN 300
#define DHCP_MIN_LEN 548
#define DHCP_MAX_OPTION_LEN (DHCP_MTU_MAX - DHCP_FIXED_LEN)
#define DHCP_MIN_OPTION_LEN (DHCP_MTU_MIN - DHCP_FIXED_LEN)
struct dhcp_packet {
u_int8_t op; /* 0: Message opcode/type */
......@@ -61,7 +63,7 @@ struct dhcp_packet {
unsigned char chaddr [16]; /* 24: Client hardware address */
char sname [DHCP_SNAME_LEN]; /* 40: Server name */
char file [DHCP_FILE_LEN]; /* 104: Boot filename */
unsigned char options [DHCP_OPTION_LEN];
unsigned char options [DHCP_MAX_OPTION_LEN];
/* 212: Optional parameters
(actual length dependent on MTU). */
};
......
......@@ -1399,12 +1399,17 @@ fqdn6_universe_decode(struct option_state *options,
struct universe *u);
int append_option(struct data_string *dst, struct universe *universe,
struct option *option, struct data_string *src);
int store_options PROTO ((int *, unsigned char *, unsigned, struct packet *,
struct lease *, struct client_state *,
struct option_state *,
struct option_state *, struct binding_scope **,
unsigned *, int, unsigned, unsigned,
int, const char *));
int
store_options(int *ocount,
unsigned char *buffer, unsigned buflen, unsigned index,
struct packet *packet, struct lease *lease,
struct client_state *client_state,
struct option_state *in_options,
struct option_state *cfg_options,
struct binding_scope **scope,
unsigned *priority_list, int priority_len,
unsigned first_cutoff, int second_cutoff, int terminate,
const char *vuname);
int store_options6(char *, int, struct option_state *, struct packet *,
const int *, struct data_string *);
int format_has_text(const char *);
......
......@@ -218,7 +218,7 @@ void bootp (packet)
lookup_option (&server_universe, options,
SV_ALWAYS_REPLY_RFC1048), MDL))) {
memcpy (outgoing.raw -> options,
packet -> raw -> options, DHCP_OPTION_LEN);
packet -> raw -> options, DHCP_MAX_OPTION_LEN);
outgoing.packet_length = BOOTP_MIN_LEN;
} else {
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment