50 lines
1.8 KiB
Diff
50 lines
1.8 KiB
Diff
From 591ed1e90503817938ccf5f127e677a8dd48b6d8 Mon Sep 17 00:00:00 2001
|
|
From: Simon Kelley <simon@thekelleys.org.uk>
|
|
Date: Mon, 11 Jul 2016 18:18:42 +0100
|
|
Subject: [PATCH] Fix bad behaviour with some DHCP option arrangements.
|
|
|
|
The check that there's enough space to store the DHCP agent-id
|
|
at the end of the packet could succeed when it should fail
|
|
if the END option is in either of the oprion-overload areas.
|
|
That could overwrite legit options in the request and cause
|
|
bad behaviour. It's highly unlikely that any sane DHCP client
|
|
would trigger this bug, and it's never been seen, but this
|
|
fixes the problem.
|
|
|
|
Also fix off-by-one in bounds checking of option processing.
|
|
Worst case scenario on that is a read one byte beyond the
|
|
end off a buffer with a crafted packet, and maybe therefore
|
|
a SIGV crash if the memory after the buffer is not mapped.
|
|
|
|
Thanks to Timothy Becker for spotting these.
|
|
---
|
|
src/rfc2131.c | 5 +++--
|
|
1 file changed, 3 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/src/rfc2131.c b/src/rfc2131.c
|
|
index b7c167e..8b99d4b 100644
|
|
--- a/src/rfc2131.c
|
|
+++ b/src/rfc2131.c
|
|
@@ -186,7 +186,8 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
|
|
be enough free space at the end of the packet to copy the option. */
|
|
unsigned char *sopt;
|
|
unsigned int total = option_len(opt) + 2;
|
|
- unsigned char *last_opt = option_find(mess, sz, OPTION_END, 0);
|
|
+ unsigned char *last_opt = option_find1(&mess->options[0] + sizeof(u32), ((unsigned char *)mess) + sz,
|
|
+ OPTION_END, 0);
|
|
if (last_opt && last_opt < end - total)
|
|
{
|
|
end -= total;
|
|
@@ -1606,7 +1607,7 @@ static unsigned char *option_find1(unsigned char *p, unsigned char *end, int opt
|
|
{
|
|
while (1)
|
|
{
|
|
- if (p > end)
|
|
+ if (p >= end)
|
|
return NULL;
|
|
else if (*p == OPTION_END)
|
|
return opt == OPTION_END ? p : NULL;
|
|
--
|
|
2.9.3
|
|
|