aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBrian Foley <bpfoley@google.com>2016-10-25 14:20:55 +0200
committerDenys Vlasenko <vda.linux@googlemail.com>2016-10-25 14:20:55 +0200
commitf9beeb22e2a4128ed85a8dc267d0823e5cfd3f47 (patch)
tree6c83a9185531079940b7c5b0d687c253a4bced06
parent69312e87b008363575a6d6603f54f94d8150e1cc (diff)
downloadbusybox-w32-f9beeb22e2a4128ed85a8dc267d0823e5cfd3f47.tar.gz
busybox-w32-f9beeb22e2a4128ed85a8dc267d0823e5cfd3f47.tar.bz2
busybox-w32-f9beeb22e2a4128ed85a8dc267d0823e5cfd3f47.zip
udhcpc: check read of option length byte to be within packet
function old new delta udhcp_get_option 215 220 +5 udhcp_run_script 802 803 +1 Signed-off-by: Brian Foley <bpfoley@google.com> Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Diffstat
-rw-r--r--networking/udhcp/common.c8
-rw-r--r--networking/udhcp/dhcpc.c4
2 files changed, 9 insertions, 3 deletions
diff --git a/networking/udhcp/common.c b/networking/udhcp/common.c
index 0cf4dab63..589bcd674 100644
--- a/networking/udhcp/common.c
+++ b/networking/udhcp/common.c
@@ -226,9 +226,12 @@ uint8_t* FAST_FUNC udhcp_get_option(struct dhcp_packet *packet, int code)
226 rem = sizeof(packet->options); 226 rem = sizeof(packet->options);
227 while (1) { 227 while (1) {
228 if (rem <= 0) { 228 if (rem <= 0) {
229 complain:
229 bb_error_msg("bad packet, malformed option field"); 230 bb_error_msg("bad packet, malformed option field");
230 return NULL; 231 return NULL;
231 } 232 }
233
234 /* DHCP_PADDING and DHCP_END have no [len] byte */
232 if (optionptr[OPT_CODE] == DHCP_PADDING) { 235 if (optionptr[OPT_CODE] == DHCP_PADDING) {
233 rem--; 236 rem--;
234 optionptr++; 237 optionptr++;
@@ -251,10 +254,13 @@ uint8_t* FAST_FUNC udhcp_get_option(struct dhcp_packet *packet, int code)
251 } 254 }
252 break; 255 break;
253 } 256 }
257
258 if (rem <= OPT_LEN)
259 goto complain; /* complain and return NULL */
254 len = 2 + optionptr[OPT_LEN]; 260 len = 2 + optionptr[OPT_LEN];
255 rem -= len; 261 rem -= len;
256 if (rem < 0) 262 if (rem < 0)
257 continue; /* complain and return NULL */ 263 goto complain; /* complain and return NULL */
258 264
259 if (optionptr[OPT_CODE] == code) { 265 if (optionptr[OPT_CODE] == code) {
260 log_option("option found", optionptr); 266 log_option("option found", optionptr);
diff --git a/networking/udhcp/dhcpc.c b/networking/udhcp/dhcpc.c
index bef73277a..1c1051107 100644
--- a/networking/udhcp/dhcpc.c
+++ b/networking/udhcp/dhcpc.c
@@ -450,7 +450,7 @@ static char **fill_envp(struct dhcp_packet *packet)
450 temp = udhcp_get_option(packet, i); 450 temp = udhcp_get_option(packet, i);
451 if (temp) { 451 if (temp) {
452 if (i == DHCP_OPTION_OVERLOAD) 452 if (i == DHCP_OPTION_OVERLOAD)
453 overload = *temp; 453 overload |= *temp;
454 else if (i == DHCP_SUBNET) 454 else if (i == DHCP_SUBNET)
455 envc++; /* for $mask */ 455 envc++; /* for $mask */
456 envc++; 456 envc++;
@@ -476,7 +476,7 @@ static char **fill_envp(struct dhcp_packet *packet)
476 * uint16_t secs; // elapsed since client began acquisition/renewal 476 * uint16_t secs; // elapsed since client began acquisition/renewal
477 * uint16_t flags; // only one flag so far: bcast. Never set by server 477 * uint16_t flags; // only one flag so far: bcast. Never set by server
478 * uint32_t ciaddr; // client IP (usually == yiaddr. can it be different 478 * uint32_t ciaddr; // client IP (usually == yiaddr. can it be different
479 * // if during renew server wants to give us differn IP?) 479 * // if during renew server wants to give us different IP?)
480 * uint32_t gateway_nip; // relay agent IP address 480 * uint32_t gateway_nip; // relay agent IP address
481 * uint8_t chaddr[16]; // link-layer client hardware address (MAC) 481 * uint8_t chaddr[16]; // link-layer client hardware address (MAC)
482 * TODO: export gateway_nip as $giaddr? 482 * TODO: export gateway_nip as $giaddr?
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2026-01-20 18:18:51 +0000