svn commit: r299512 - head/sbin/dhclient
Conrad E. Meyer
cem at FreeBSD.org
Thu May 12 04:28:23 UTC 2016
Author: cem
Date: Thu May 12 04:28:22 2016
New Revision: 299512
URL: https://svnweb.freebsd.org/changeset/base/299512
Log:
dhclient: Fix some trivial buffer overruns
There was some confusion about how to limit a hardware address to at most 16
bytes. In some cases it would overrun a byte off the end of the array.
Correct the types and rectify the overrun.
Reported by: Coverity
CIDs: 1008682, 1305550
Sponsored by: EMC / Isilon Storage Division
Modified:
head/sbin/dhclient/dhclient.c
Modified: head/sbin/dhclient/dhclient.c
==============================================================================
--- head/sbin/dhclient/dhclient.c Thu May 12 04:08:45 2016 (r299511)
+++ head/sbin/dhclient/dhclient.c Thu May 12 04:28:22 2016 (r299512)
@@ -56,6 +56,8 @@
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
+#include <stddef.h>
+
#include "dhcpd.h"
#include "privsep.h"
@@ -1570,16 +1572,18 @@ make_discover(struct interface_info *ip,
}
/* set unique client identifier */
- char client_ident[sizeof(struct hardware)];
+ struct hardware client_ident;
if (!options[DHO_DHCP_CLIENT_IDENTIFIER]) {
- int hwlen = (ip->hw_address.hlen < sizeof(client_ident)-1) ?
- ip->hw_address.hlen : sizeof(client_ident)-1;
- client_ident[0] = ip->hw_address.htype;
- memcpy(&client_ident[1], ip->hw_address.haddr, hwlen);
+ size_t hwlen = MIN(ip->hw_address.hlen,
+ sizeof(client_ident.haddr));
+ client_ident.htype = ip->hw_address.htype;
+ client_ident.hlen = hwlen;
+ memcpy(client_ident.haddr, ip->hw_address.haddr, hwlen);
options[DHO_DHCP_CLIENT_IDENTIFIER] = &option_elements[DHO_DHCP_CLIENT_IDENTIFIER];
- options[DHO_DHCP_CLIENT_IDENTIFIER]->value = client_ident;
- options[DHO_DHCP_CLIENT_IDENTIFIER]->len = hwlen+1;
- options[DHO_DHCP_CLIENT_IDENTIFIER]->buf_size = hwlen+1;
+ options[DHO_DHCP_CLIENT_IDENTIFIER]->value = (void *)&client_ident;
+ hwlen += offsetof(struct hardware, haddr);
+ options[DHO_DHCP_CLIENT_IDENTIFIER]->len = hwlen;
+ options[DHO_DHCP_CLIENT_IDENTIFIER]->buf_size = hwlen;
options[DHO_DHCP_CLIENT_IDENTIFIER]->timeout = 0xFFFFFFFF;
}
@@ -1605,8 +1609,8 @@ make_discover(struct interface_info *ip,
0, sizeof(ip->client->packet.siaddr));
memset(&(ip->client->packet.giaddr),
0, sizeof(ip->client->packet.giaddr));
- memcpy(ip->client->packet.chaddr,
- ip->hw_address.haddr, ip->hw_address.hlen);
+ memcpy(ip->client->packet.chaddr, ip->hw_address.haddr,
+ MIN(ip->hw_address.hlen, sizeof(ip->client->packet.chaddr)));
}
More information about the svn-src-all
mailing list