diff options
| author | cem <cem@FreeBSD.org> | 2016-05-12 04:28:22 +0000 |
|---|---|---|
| committer | cem <cem@FreeBSD.org> | 2016-05-12 04:28:22 +0000 |
| commit | 7403ada3a61aecbc825c499abce0e748fed883b4 (patch) | |
| tree | 2a6bd833778487c6d393760ff54dc2eaf8fdd66e /sbin/dhclient | |
| parent | 9c418cf4a67dafc64846998cb8fef66eb9e6bb19 (diff) | |
| download | FreeBSD-src-7403ada3a61aecbc825c499abce0e748fed883b4.zip FreeBSD-src-7403ada3a61aecbc825c499abce0e748fed883b4.tar.gz | |
dhclient: Fix some trivial buffer overruns
There was some confusion about how to limit a hardware address to at most 16
bytes. In some cases it would overrun a byte off the end of the array.
Correct the types and rectify the overrun.
Reported by: Coverity
CIDs: 1008682, 1305550
Sponsored by: EMC / Isilon Storage Division
Diffstat (limited to 'sbin/dhclient')
| -rw-r--r-- | sbin/dhclient/dhclient.c | 24 |
1 files changed, 14 insertions, 10 deletions
diff --git a/sbin/dhclient/dhclient.c b/sbin/dhclient/dhclient.c index 4444f29..7da12aa 100644 --- a/sbin/dhclient/dhclient.c +++ b/sbin/dhclient/dhclient.c @@ -56,6 +56,8 @@ #include <sys/cdefs.h> __FBSDID("$FreeBSD$"); +#include <stddef.h> + #include "dhcpd.h" #include "privsep.h" @@ -1570,16 +1572,18 @@ make_discover(struct interface_info *ip, struct client_lease *lease) } /* set unique client identifier */ - char client_ident[sizeof(struct hardware)]; + struct hardware client_ident; if (!options[DHO_DHCP_CLIENT_IDENTIFIER]) { - int hwlen = (ip->hw_address.hlen < sizeof(client_ident)-1) ? - ip->hw_address.hlen : sizeof(client_ident)-1; - client_ident[0] = ip->hw_address.htype; - memcpy(&client_ident[1], ip->hw_address.haddr, hwlen); + size_t hwlen = MIN(ip->hw_address.hlen, + sizeof(client_ident.haddr)); + client_ident.htype = ip->hw_address.htype; + client_ident.hlen = hwlen; + memcpy(client_ident.haddr, ip->hw_address.haddr, hwlen); options[DHO_DHCP_CLIENT_IDENTIFIER] = &option_elements[DHO_DHCP_CLIENT_IDENTIFIER]; - options[DHO_DHCP_CLIENT_IDENTIFIER]->value = client_ident; - options[DHO_DHCP_CLIENT_IDENTIFIER]->len = hwlen+1; - options[DHO_DHCP_CLIENT_IDENTIFIER]->buf_size = hwlen+1; + options[DHO_DHCP_CLIENT_IDENTIFIER]->value = (void *)&client_ident; + hwlen += offsetof(struct hardware, haddr); + options[DHO_DHCP_CLIENT_IDENTIFIER]->len = hwlen; + options[DHO_DHCP_CLIENT_IDENTIFIER]->buf_size = hwlen; options[DHO_DHCP_CLIENT_IDENTIFIER]->timeout = 0xFFFFFFFF; } @@ -1605,8 +1609,8 @@ make_discover(struct interface_info *ip, struct client_lease *lease) 0, sizeof(ip->client->packet.siaddr)); memset(&(ip->client->packet.giaddr), 0, sizeof(ip->client->packet.giaddr)); - memcpy(ip->client->packet.chaddr, - ip->hw_address.haddr, ip->hw_address.hlen); + memcpy(ip->client->packet.chaddr, ip->hw_address.haddr, + MIN(ip->hw_address.hlen, sizeof(ip->client->packet.chaddr))); } |
