emo/busybox
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

udhcpc: check read of option length byte to be within packet

Browse Source 
function                                             old     new   delta
udhcp_get_option                                     215     220      +5
udhcp_run_script                                     802     803      +1

Signed-off-by: Brian Foley <bpfoley@google.com>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
This commit is contained in:
Brian Foley 2016-10-25 14:20:55 +02:00 committed by Denys Vlasenko
parent 69312e87b0
commit f9beeb22e2
2 changed files with 9 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
networking/udhcp/common.c
View File

@ -226,9 +226,12 @@ uint8_t* FAST_FUNC udhcp_get_option(struct dhcp_packet *packet, int code)
rem = sizeof(packet->options); rem = sizeof(packet->options);
while (1) { while (1) {
if (rem <= 0) { if (rem <= 0) {
complain:
bb_error_msg("bad packet, malformed option field"); bb_error_msg("bad packet, malformed option field");
return NULL; return NULL;
} }
/* DHCP_PADDING and DHCP_END have no [len] byte */
if (optionptr[OPT_CODE] == DHCP_PADDING) { if (optionptr[OPT_CODE] == DHCP_PADDING) {
rem--; rem--;
optionptr++; optionptr++;
@ -251,10 +254,13 @@ uint8_t* FAST_FUNC udhcp_get_option(struct dhcp_packet *packet, int code)
} }
break; break;
} }
if (rem <= OPT_LEN)
goto complain; /* complain and return NULL */
len = 2 + optionptr[OPT_LEN]; len = 2 + optionptr[OPT_LEN];
rem -= len; rem -= len;
if (rem < 0) if (rem < 0)
continue; /* complain and return NULL */ goto complain; /* complain and return NULL */
if (optionptr[OPT_CODE] == code) { if (optionptr[OPT_CODE] == code) {
log_option("option found", optionptr); log_option("option found", optionptr);

4
networking/udhcp/dhcpc.c
View File

@ -450,7 +450,7 @@ static char **fill_envp(struct dhcp_packet *packet)
temp = udhcp_get_option(packet, i); temp = udhcp_get_option(packet, i);
if (temp) { if (temp) {
if (i == DHCP_OPTION_OVERLOAD) if (i == DHCP_OPTION_OVERLOAD)
overload = *temp; overload |= *temp;
else if (i == DHCP_SUBNET) else if (i == DHCP_SUBNET)
envc++; /* for $mask */ envc++; /* for $mask */
envc++; envc++;
@ -476,7 +476,7 @@ static char **fill_envp(struct dhcp_packet *packet)
* uint16_t secs; // elapsed since client began acquisition/renewal * uint16_t secs; // elapsed since client began acquisition/renewal
* uint16_t flags; // only one flag so far: bcast. Never set by server * uint16_t flags; // only one flag so far: bcast. Never set by server
* uint32_t ciaddr; // client IP (usually == yiaddr. can it be different * uint32_t ciaddr; // client IP (usually == yiaddr. can it be different
* // if during renew server wants to give us differn IP?) * // if during renew server wants to give us different IP?)
* uint32_t gateway_nip; // relay agent IP address * uint32_t gateway_nip; // relay agent IP address
* uint8_t chaddr[16]; // link-layer client hardware address (MAC) * uint8_t chaddr[16]; // link-layer client hardware address (MAC)
* TODO: export gateway_nip as $giaddr? * TODO: export gateway_nip as $giaddr?