changelog shortlog tags branches files raw gz bz2 help

Mercurial > hg > plan9front / changeset: ip/dhcpd: prevent client from increasing max reply size beyond the reply buffer capacity

changeset 7419: 0712b88b437b
parent 7418: a1b2824f596e
child 7420: c6a1b19ee479
author: cinap_lenrek@felloff.net
date: Tue, 22 Oct 2019 06:53:50 +0200
files: sys/src/cmd/ip/dhcpd/dhcpd.c
description: ip/dhcpd: prevent client from increasing max reply size beyond the reply buffer capacity
     1.1--- a/sys/src/cmd/ip/dhcpd/dhcpd.c
     1.2+++ b/sys/src/cmd/ip/dhcpd/dhcpd.c
     1.3@@ -1078,17 +1078,22 @@ parseoptions(Req *rp)
     1.4 				v4tov6(rp->server, o);
     1.5 			break;
     1.6 		case ODmessage:
     1.7-			if(n > sizeof rp->msg-1)
     1.8-				n = sizeof rp->msg-1;
     1.9+			if(n > sizeof(rp->msg)-1)
    1.10+				n = sizeof(rp->msg)-1;
    1.11 			memmove(rp->msg, o, n);
    1.12 			rp->msg[n] = 0;
    1.13 			break;
    1.14 		case ODmaxmsg:
    1.15+			if(n < 2)
    1.16+				break;
    1.17 			c = nhgets(o);
    1.18-			c -= 28;
    1.19+			c -= IPUDPHDRSIZE;
    1.20+			if(c <= 0)
    1.21+				break;
    1.22 			c += Udphdrsize;
    1.23-			if(c > 0)
    1.24-				rp->max = rp->buf + c;
    1.25+			if(c > sizeof(rp->buf))
    1.26+				c = sizeof(rp->buf);
    1.27+			rp->max = rp->buf + c;
    1.28 			break;
    1.29 		case ODclientid:
    1.30 			if(n <= 1)