d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

dhclient: Fix some trivial buffer overruns

Browse Source 
There was some confusion about how to limit a hardware address to at most 16
bytes.  In some cases it would overrun a byte off the end of the array.
Correct the types and rectify the overrun.

Reported by:	Coverity
CIDs:		1008682, 1305550
Sponsored by:	EMC / Isilon Storage Division
This commit is contained in:
Conrad Meyer 2016-05-12 04:28:22 +00:00
parent 83095e1ee2
commit 021b92e5ba
1 changed files with 14 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
sbin/dhclient/dhclient.c
View File

@ -56,6 +56,8 @@
#include <sys/cdefs.h> #include <sys/cdefs.h>
__FBSDID("$FreeBSD$"); __FBSDID("$FreeBSD$");
#include <stddef.h>
#include "dhcpd.h" #include "dhcpd.h"
#include "privsep.h" #include "privsep.h"
@ -1570,16 +1572,18 @@ make_discover(struct interface_info *ip, struct client_lease *lease)
} }
/* set unique client identifier */ /* set unique client identifier */
char client_ident[sizeof(struct hardware)]; struct hardware client_ident;
if (!options[DHO_DHCP_CLIENT_IDENTIFIER]) { if (!options[DHO_DHCP_CLIENT_IDENTIFIER]) {
int hwlen = (ip->hw_address.hlen < sizeof(client_ident)-1) ? size_t hwlen = MIN(ip->hw_address.hlen,
ip->hw_address.hlen : sizeof(client_ident)-1; sizeof(client_ident.haddr));
client_ident[0] = ip->hw_address.htype; client_ident.htype = ip->hw_address.htype;
memcpy(&client_ident[1], ip->hw_address.haddr, hwlen); client_ident.hlen = hwlen;
memcpy(client_ident.haddr, ip->hw_address.haddr, hwlen);
options[DHO_DHCP_CLIENT_IDENTIFIER] = &option_elements[DHO_DHCP_CLIENT_IDENTIFIER]; options[DHO_DHCP_CLIENT_IDENTIFIER] = &option_elements[DHO_DHCP_CLIENT_IDENTIFIER];
options[DHO_DHCP_CLIENT_IDENTIFIER]->value = client_ident; options[DHO_DHCP_CLIENT_IDENTIFIER]->value = (void *)&client_ident;
options[DHO_DHCP_CLIENT_IDENTIFIER]->len = hwlen+1; hwlen += offsetof(struct hardware, haddr);
options[DHO_DHCP_CLIENT_IDENTIFIER]->buf_size = hwlen+1; options[DHO_DHCP_CLIENT_IDENTIFIER]->len = hwlen;
options[DHO_DHCP_CLIENT_IDENTIFIER]->buf_size = hwlen;
options[DHO_DHCP_CLIENT_IDENTIFIER]->timeout = 0xFFFFFFFF; options[DHO_DHCP_CLIENT_IDENTIFIER]->timeout = 0xFFFFFFFF;
} }
@ -1605,8 +1609,8 @@ make_discover(struct interface_info *ip, struct client_lease *lease)
0, sizeof(ip->client->packet.siaddr)); 0, sizeof(ip->client->packet.siaddr));
memset(&(ip->client->packet.giaddr), memset(&(ip->client->packet.giaddr),
0, sizeof(ip->client->packet.giaddr)); 0, sizeof(ip->client->packet.giaddr));
memcpy(ip->client->packet.chaddr, memcpy(ip->client->packet.chaddr, ip->hw_address.haddr,
ip->hw_address.haddr, ip->hw_address.hlen); MIN(ip->hw_address.hlen, sizeof(ip->client->packet.chaddr)));
} }