diff options
author | emaste <emaste@FreeBSD.org> | 2018-12-19 18:22:25 +0000 |
---|---|---|
committer | emaste <emaste@FreeBSD.org> | 2018-12-19 18:22:25 +0000 |
commit | be441713e5ebf6f70a54f9773e770fdffec494f7 (patch) | |
tree | bf416af2baec103605bebafbb2034092b5f78daa /libexec | |
parent | a3da8d3cae6ff49fc79f222c1874ee28c23a01bf (diff) | |
download | FreeBSD-src-be441713e5ebf6f70a54f9773e770fdffec494f7.zip FreeBSD-src-be441713e5ebf6f70a54f9773e770fdffec494f7.tar.gz |
MFS11 r342229: bootpd: validate hardware type
Due to insufficient validation of network-provided data it may have been
possible for a malicious actor to craft a bootp packet which could cause
a stack buffer overflow.
admbugs: 850
Reported by: Reno Robert
Reviewed by: markj
Approved by: so
Security: FreeBSD-SA-18:15.bootpd
Sponsored by: The FreeBSD Foundation
Diffstat (limited to 'libexec')
-rw-r--r-- | libexec/bootpd/bootpd.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/libexec/bootpd/bootpd.c b/libexec/bootpd/bootpd.c index fe9cefa..afd5c77 100644 --- a/libexec/bootpd/bootpd.c +++ b/libexec/bootpd/bootpd.c @@ -636,6 +636,10 @@ handle_request() char *homedir, *bootfile; int n; + if (bp->bp_htype >= hwinfocnt) { + report(LOG_NOTICE, "bad hw addr type %u", bp->bp_htype); + return; + } bp->bp_file[sizeof(bp->bp_file)-1] = '\0'; /* XXX - SLIP init: Set bp_ciaddr = recv_addr here? */ |