diff options
| author | KUMAAN <9maaan@gmail.com> | 2011-08-23 15:00:32 +0900 |
|---|---|---|
| committer | maximilian attems <max@stro.at> | 2012-05-19 19:46:36 +0200 |
| commit | c2c7f19a094bba822995f7eba8ec8dfc5cbe4fdb (patch) | |
| tree | dfdc3689ba6a1342b8518a63ba0fea8b19682779 | |
| parent | b01feb697800476d5a53c58ab31893a0653d9c95 (diff) | |
| download | klibc-c2c7f19a094bba822995f7eba8ec8dfc5cbe4fdb.tar.gz | |
[klibc] ipconfig: A bit more robust bootp/dhcp option parsing
Be a bit more strict about our BOOTP/DHCP option parsing to avoid
segmentation faults.
Signed-off-by: KUMAAN <9maaan@gmail.com>
Acked-by: H. Peter Anvin <hpa@linux.intel.com>
Signed-off-by: maximilian attems <max@stro.at>
| -rw-r--r-- | usr/kinit/ipconfig/bootp_proto.c | 4 | ||||
| -rw-r--r-- | usr/kinit/ipconfig/dhcp_proto.c | 33 |
2 files changed, 28 insertions, 9 deletions
diff --git a/usr/kinit/ipconfig/bootp_proto.c b/usr/kinit/ipconfig/bootp_proto.c index f2cc90c85e2c19..e3d50e32501068 100644 --- a/usr/kinit/ipconfig/bootp_proto.c +++ b/usr/kinit/ipconfig/bootp_proto.c @@ -87,8 +87,12 @@ int bootp_parse(struct netdev *dev, struct bootp_hdr *hdr, else if (opt == 255) break; + if (ext - exts >= extlen) + break; len = *ext++; + if (ext - exts + len > extlen) + break; switch (opt) { case 1: /* subnet mask */ if (len == 4) diff --git a/usr/kinit/ipconfig/dhcp_proto.c b/usr/kinit/ipconfig/dhcp_proto.c index a461c6d0398306..8ca2614072b16a 100644 --- a/usr/kinit/ipconfig/dhcp_proto.c +++ b/usr/kinit/ipconfig/dhcp_proto.c @@ -92,20 +92,35 @@ static int dhcp_parse(struct netdev *dev, struct bootp_hdr *hdr, uint8_t *ext; for (ext = exts + 4; ext - exts < extlen;) { - uint8_t len, *opt = ext++; - if (*opt == 0) + int len; + uint8_t opt = *ext++; + + if (opt == 0) continue; + else if (opt == 255) + break; + if (ext - exts >= extlen) + break; len = *ext++; + if (ext - exts + len > extlen) + break; + switch (opt) { + case 51: /* IP Address Lease Time */ + if (len == 4) + leasetime = ntohl(*(uint32_t *)ext); + break; + case 53: /* DHCP Message Type */ + if (len == 1) + type = *ext; + break; + case 54: /* Server Identifier */ + if (len == 4) + memcpy(&serverid, ext, 4); + break; + } ext += len; - - if (*opt == 51 && len == 4) - leasetime = ntohl(*(uint32_t *)(opt + 2)); - if (*opt == 53) - type = opt[2]; - if (*opt == 54) - memcpy(&serverid, opt + 2, 4); } } |