Do more boundary and sanity checking when adding dhcp options.

Simplify parameter list for ifchd_cmd().
This commit is contained in:
Nicholas J. Kain 2011-03-30 15:57:01 -04:00
parent 0e62d46f8b
commit ddf9daf8e4
5 changed files with 143 additions and 91 deletions

View File

@ -79,7 +79,8 @@ static void init_header(struct dhcpMessage *packet, char type)
packet->hlen = 6; // ETH_10MB_LEN
packet->cookie = htonl(DHCP_MAGIC);
packet->options[0] = DHCP_END;
add_simple_option(packet->options, DHCP_MESSAGE_TYPE, type);
add_u32_option(packet->options, DHCP_OPTIONS_BUFSIZE, DHCP_MESSAGE_TYPE,
type);
}
/* initialize a packet with the proper defaults */
@ -93,10 +94,13 @@ static void init_packet(struct dhcpMessage *packet, char type)
init_header(packet, type);
memcpy(packet->chaddr, client_config.arp, 6);
add_option_string(packet->options, client_config.clientid);
add_option_string(packet->options, DHCP_OPTIONS_BUFSIZE,
client_config.clientid);
if (client_config.hostname)
add_option_string(packet->options, client_config.hostname);
add_option_string(packet->options, (unsigned char *)&vendor_id);
add_option_string(packet->options, DHCP_OPTIONS_BUFSIZE,
client_config.hostname);
add_option_string(packet->options, DHCP_OPTIONS_BUFSIZE,
(unsigned char *)&vendor_id);
}
#define MAC_BCAST_ADDR (unsigned char *) "\xff\xff\xff\xff\xff\xff"
@ -117,11 +121,13 @@ int send_discover(uint32_t xid, uint32_t requested)
init_packet(&packet, DHCPDISCOVER);
packet.xid = xid;
if (requested)
add_simple_option(packet.options, DHCP_REQUESTED_IP, requested);
add_u32_option(packet.options, DHCP_OPTIONS_BUFSIZE, DHCP_REQUESTED_IP,
requested);
/* Request a RFC-specified max size to work around buggy servers. */
add_simple_option(packet.options, DHCP_MAX_SIZE, htons(576));
add_requests(&packet);
add_u32_option(packet.options, DHCP_OPTIONS_BUFSIZE,
DHCP_MAX_SIZE, htons(576));
add_option_request_list(&packet);
log_line("Sending discover...");
return bcast_raw_packet(&packet);
}
@ -135,10 +141,11 @@ int send_selecting(uint32_t xid, uint32_t server, uint32_t requested)
init_packet(&packet, DHCPREQUEST);
packet.xid = xid;
add_simple_option(packet.options, DHCP_REQUESTED_IP, requested);
add_simple_option(packet.options, DHCP_SERVER_ID, server);
add_u32_option(packet.options, DHCP_OPTIONS_BUFSIZE, DHCP_REQUESTED_IP,
requested);
add_u32_option(packet.options, DHCP_OPTIONS_BUFSIZE, DHCP_SERVER_ID, server);
add_requests(&packet);
add_option_request_list(&packet);
addr.s_addr = requested;
log_line("Sending select for %s...", inet_ntoa(addr));
return bcast_raw_packet(&packet);
@ -153,7 +160,7 @@ int send_renew(uint32_t xid, uint32_t server, uint32_t ciaddr)
packet.xid = xid;
packet.ciaddr = ciaddr;
add_requests(&packet);
add_option_request_list(&packet);
log_line("Sending renew...");
if (server)
return kernel_packet(&packet, ciaddr, DHCP_CLIENT_PORT, server,
@ -179,8 +186,9 @@ int send_decline(uint32_t xid, uint32_t server, uint32_t requested)
*/
packet.xid = xid;
/* DHCPDECLINE uses "requested ip", not ciaddr, to store offered IP */
add_simple_option(packet.options, DHCP_REQUESTED_IP, requested);
add_simple_option(packet.options, DHCP_SERVER_ID, server);
add_u32_option(packet.options, DHCP_OPTIONS_BUFSIZE, DHCP_REQUESTED_IP,
requested);
add_u32_option(packet.options, DHCP_OPTIONS_BUFSIZE, DHCP_SERVER_ID, server);
log_line("Sending decline...");
return bcast_raw_packet(&packet);
@ -195,8 +203,9 @@ int send_release(uint32_t server, uint32_t ciaddr)
packet.xid = random_xid();
packet.ciaddr = ciaddr;
add_simple_option(packet.options, DHCP_REQUESTED_IP, ciaddr);
add_simple_option(packet.options, DHCP_SERVER_ID, server);
add_u32_option(packet.options, DHCP_OPTIONS_BUFSIZE, DHCP_REQUESTED_IP,
ciaddr);
add_u32_option(packet.options, DHCP_OPTIONS_BUFSIZE, DHCP_SERVER_ID, server);
log_line("Sending release...");
return kernel_packet(&packet, ciaddr, DHCP_CLIENT_PORT, server,

View File

@ -1,5 +1,5 @@
/* ifchange.c - functions to call the interface change daemon
* Time-stamp: <2011-03-30 12:02:55 nk>
* Time-stamp: <2011-03-30 13:14:37 nk>
*
* (c) 2004-2011 Nicholas J. Kain <njkain at gmail dot com>
*
@ -40,13 +40,14 @@
/* Fill buf with the ifchd command text of option 'option'. */
/* Returns 0 if successful, -1 if nothing was filled in. */
static int ifchd_cmd(char *buf, size_t buflen,
unsigned char *option, ssize_t optlen,
uint8_t code, enum option_type type, const char *optname)
static int ifchd_cmd(char *buf, size_t buflen, uint8_t *option, ssize_t optlen,
uint8_t code)
{
char *obuf = buf;
uint8_t *ooption = option;
ssize_t typelen = option_length(type);
const char *optname = option_name(code);
enum option_type type = option_type(code);
ssize_t typelen = option_length(code);
if (!option || type == OPTION_NONE)
return -1;
@ -181,8 +182,7 @@ static void send_cmd(int sockfd, struct dhcpMessage *packet,
memset(buf, '\0', sizeof buf);
optdata = get_option_data(packet, code, &optlen);
if (ifchd_cmd(buf, sizeof buf, optdata, optlen, code, option_type(code),
option_name(code)) == -1)
if (ifchd_cmd(buf, sizeof buf, optdata, optlen, code) == -1)
return;
sockwrite(sockfd, buf, strlen(buf));
}

View File

@ -1,7 +1,21 @@
/*
* options.c -- DHCP server option packet tools
* Rewrite by Russ Dill <Russ.Dill@asu.edu> July 2001
* Fixes and hardening: Nicholas J. Kain <njkain at gmail dot com>
/* options.c - DHCP options handling
* Time-stamp: <2011-03-30 15:52:12 nk>
*
* (c) 2004-2011 Nicholas J. Kain <njkain at gmail dot com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include <stdio.h>
@ -13,12 +27,6 @@
#include "log.h"
#include "malloc.h"
enum {
OPT_CODE = 0,
OPT_LEN = 1,
OPT_DATA = 2
};
struct dhcp_option {
char name[10];
enum option_type type;
@ -55,7 +63,7 @@ static struct dhcp_option options[] = {
{"maxsize" , OPTION_U16, 0x39},
{"tftp" , OPTION_STRING, 0x42},
{"bootfile" , OPTION_STRING, 0x43},
{"" , OPTION_NONE, 0x00}
{"NONE" , OPTION_NONE, 0x00}
};
// List of options that will be sent on the parameter request list to the
@ -102,7 +110,7 @@ const char *option_name(uint8_t code)
return bad_option_name;
}
uint8_t option_length(enum option_type type)
static uint8_t option_type_length(enum option_type type)
{
switch (type) {
case OPTION_IP: return 4;
@ -115,6 +123,16 @@ uint8_t option_length(enum option_type type)
}
}
uint8_t option_length(uint8_t code)
{
int i;
for (i = 0; options[i].code; i++)
if (options[i].code == code)
return option_type_length(options[i].type);
log_warning("option_length: unknown length for code 0x%02x", code);
return 0;
}
int option_valid_list(uint8_t code)
{
int i;
@ -254,61 +272,60 @@ uint8_t *get_option_data(struct dhcpMessage *packet, int code, ssize_t *optlen)
}
/* return the position of the 'end' option */
int get_end_option_idx(uint8_t *optbuf, size_t bufsize)
ssize_t get_end_option_idx(uint8_t *optbuf, size_t bufsize)
{
int i = 0;
while (i < bufsize && optbuf[i] != DHCP_END) {
if (optbuf[i] != DHCP_PADDING)
i += optbuf[i+1] + 2;
else
i++;
}
if (i < bufsize - 1)
int i;
for (i = 0; i < bufsize; ++i) {
if (optbuf[i] == DHCP_END)
return i;
else {
if (optbuf[i] == DHCP_PADDING)
continue;
if (optbuf[i] != DHCP_PADDING)
i += optbuf[i+1] + 1;
}
log_warning("get_end_option_idx(): did not find DHCP_END marker");
return bufsize - 1;
return -1;
}
}
/* add an option string to the options (an option string contains an option
* code, length, then data) */
int add_option_string(unsigned char *optionptr, unsigned char *string)
size_t add_option_string(uint8_t *optbuf, size_t buflen, uint8_t *optstr)
{
// XXX: not real length
int end = get_end_option_idx(optionptr, DHCP_OPTIONS_BUFSIZE);
size_t end = get_end_option_idx(optbuf, buflen);
size_t datalen = optstr[1];
/* end position + string length + option code/length + end option */
if (end + string[OPT_LEN] + 2 + 1 >= DHCP_OPTIONS_BUFSIZE) {
log_error("Option 0x%02x did not fit into the packet!",
string[OPT_CODE]);
if (end == -1) {
log_warning("add_option_string: Buffer has no DHCP_END marker");
return 0;
}
memcpy(optionptr + end, string, string[OPT_LEN] + 2);
optionptr[end + string[OPT_LEN] + 2] = DHCP_END;
return string[OPT_LEN] + 2;
/* end position + optstr length + option code/length + end option */
if (end + datalen + 2 + 1 >= buflen) {
log_warning("Option 0x%02x did not fit into the packet!", optstr[0]);
return 0;
}
memcpy(optbuf + end, optstr, datalen + 2);
optbuf[end + datalen + 2] = DHCP_END;
return datalen + 2;
}
int add_simple_option(unsigned char *optionptr, unsigned char code,
size_t add_u32_option(uint8_t *optbuf, size_t buflen, uint8_t code,
uint32_t data)
{
int i, length = 0;
unsigned char option[2 + 4];
int length = 0;
uint8_t option[6];
for (i = 0; options[i].code; i++)
if (options[i].code == code) {
length = option_length(options[i].type);
}
length = option_length(code);
log_line("aso(): code=0x%02x length=0x%02x", code, length);
option[OPT_CODE] = code;
option[OPT_LEN] = (unsigned char)length;
log_line("add_u32_option: code=0x%02x length=0x%02x", code, length);
option[0] = code;
option[1] = length;
if (!length) {
log_error("Could not add option 0x%02x", code);
log_warning("add_u32_option: option code 0x%02x has 0 length", code);
return 0;
} else if (length == 1) {
}
if (length == 1) {
uint8_t t = (uint8_t)data;
memcpy(option + 2, &t, 1);
} else if (length == 2) {
@ -318,20 +335,18 @@ int add_simple_option(unsigned char *optionptr, unsigned char code,
uint32_t t = (uint32_t)data;
memcpy(option + 2, &t, 4);
}
return add_option_string(optionptr, option);
return add_option_string(optbuf, buflen, option);
}
/* Add a paramater request list for stubborn DHCP servers. Don't do bounds */
/* checking here because it goes towards the head of the packet. */
void add_requests(struct dhcpMessage *packet)
/* Add a paramater request list for stubborn DHCP servers */
void add_option_request_list(struct dhcpMessage *packet)
{
// XXX: not real length
int end = get_end_option_idx(packet->options, DHCP_OPTIONS_BUFSIZE);
int i, len = 0;
int i;
uint8_t reqdata[sizeof req_opts + 1];
packet->options[end + OPT_CODE] = DHCP_PARAM_REQ;
reqdata[0] = DHCP_PARAM_REQ;
reqdata[1] = sizeof reqdata - 2;
for (i = 0; req_opts[i]; i++)
packet->options[end + OPT_DATA + len++] = req_opts[i];
packet->options[end + OPT_LEN] = len;
packet->options[end + OPT_DATA + len] = DHCP_END;
reqdata[i + 2] = req_opts[i];
add_option_string(packet->options, DHCP_OPTIONS_BUFSIZE, reqdata);
}

View File

@ -1,4 +1,22 @@
/* options.h */
/* options.h - DHCP options handling
* Time-stamp: <2011-03-30 15:50:30 nk>
*
* (c) 2004-2011 Nicholas J. Kain <njkain at gmail dot com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#ifndef OPTIONS_H_
#define OPTIONS_H_
@ -64,7 +82,7 @@ enum option_type {
const char *option_name(uint8_t code);
enum option_type option_type(uint8_t code);
uint8_t option_length(enum option_type type);
uint8_t option_length(uint8_t code);
int option_valid_list(uint8_t code);
size_t sizeof_option(unsigned char code, size_t datalen);
size_t set_option(unsigned char *buf, size_t buflen, unsigned char code,
@ -76,10 +94,10 @@ unsigned char *alloc_dhcp_client_id_option(unsigned char type,
unsigned char *idstr, size_t idstrlen);
uint8_t *get_option_data(struct dhcpMessage *packet, int code, ssize_t *optlen);
int get_end_option_idx(uint8_t *optbuf, size_t bufsize);
int add_option_string(unsigned char *optionptr, unsigned char *string);
int add_simple_option(unsigned char *optionptr, unsigned char code, uint32_t data);
void add_requests(struct dhcpMessage *packet);
ssize_t get_end_option_idx(uint8_t *optbuf, size_t bufsize);
size_t add_option_string(uint8_t *optbuf, size_t buflen, uint8_t *optstr);
size_t add_u32_option(uint8_t *optbuf, size_t buflen, uint8_t code,
uint32_t data);
void add_option_request_list(struct dhcpMessage *packet);
#endif

View File

@ -105,8 +105,13 @@ int raw_packet(struct dhcpMessage *payload, uint32_t source_ip,
* In order to work with those buggy servers,
* we truncate packets after end option byte.
*/
padding = DHCP_OPTIONS_BUFSIZE - 1 - get_end_option_idx(packet.data.options,
ssize_t endloc = get_end_option_idx(packet.data.options,
DHCP_OPTIONS_BUFSIZE);
if (endloc == -1) {
log_error("raw_packet: attempt to send packet with no DHCP_END");
goto out_fd;
}
padding = DHCP_OPTIONS_BUFSIZE - 1 - endloc;
packet.ip.protocol = IPPROTO_UDP;
packet.ip.saddr = source_ip;
@ -165,8 +170,13 @@ int kernel_packet(struct dhcpMessage *payload, uint32_t source_ip,
if (connect(fd, (struct sockaddr *)&client, sizeof(struct sockaddr)) == -1)
goto out_fd;
padding = DHCP_OPTIONS_BUFSIZE - 1 - get_end_option_idx(payload->options,
ssize_t endloc = get_end_option_idx(payload->options,
DHCP_OPTIONS_BUFSIZE);
if (endloc == -1) {
log_error("kernel_packet: attempt to send packet with no DHCP_END");
goto out_fd;
}
padding = DHCP_OPTIONS_BUFSIZE - 1 - endloc;
result = safe_write(fd, (const char *)payload, DHCP_SIZE - padding);
if (result == -1)
log_error("kernel_packet: write failed: %s", strerror(errno));