From 378f4212d7373698cd92126e944f53b41664c4e9 Mon Sep 17 00:00:00 2001
From: tsoome <tsoome@FreeBSD.org>
Date: Mon, 20 Mar 2017 22:20:17 +0000
Subject: [PATCH] loader: verify the value from dhcp.interface-mtu and use
 snprintf to set mtu

Since the uset can set dhcp.interface-mtu, we need to try to validate the
value. So we verify if the conversion to int is successful and we will not
allow to set value greater than max IPv4 packet size.

Also use snprintf for safety.

Reviewed by:	allanjude, bapt
Approved by:	allanjude (mentor)
Differential Revision:	https://reviews.freebsd.org/D8492
---
 lib/libstand/bootp.c        | 25 ++++++++++++++++++++++---
 sys/boot/common/dev_net.c   |  2 +-
 sys/boot/i386/libi386/pxe.c |  2 +-
 3 files changed, 24 insertions(+), 5 deletions(-)

diff --git a/lib/libstand/bootp.c b/lib/libstand/bootp.c
index 5d993ce5f07e..479405debe22 100644
--- a/lib/libstand/bootp.c
+++ b/lib/libstand/bootp.c
@@ -39,6 +39,7 @@
 __FBSDID("$FreeBSD$");
 
 #include <sys/types.h>
+#include <sys/limits.h>
 #include <sys/endian.h>
 #include <netinet/in.h>
 #include <netinet/in_systm.h>
@@ -403,11 +404,29 @@ vend_rfc1048(cp, len)
 			strlcpy(hostname, val, sizeof(hostname));
 		}
 		if (tag == TAG_INTF_MTU) {
+			intf_mtu = 0;
 			if ((val = getenv("dhcp.interface-mtu")) != NULL) {
-				intf_mtu = (u_int)strtoul(val, NULL, 0);
-			} else {
-				intf_mtu = be16dec(cp);
+				unsigned long tmp;
+				char *end;
+
+				errno = 0;
+				/*
+				 * Do not allow MTU to exceed max IPv4 packet
+				 * size, max value of 16-bit word.
+				 */
+				tmp = strtoul(val, &end, 0);
+				if (errno != 0 ||
+				    *val == '\0' || *end != '\0' ||
+				    tmp > USHRT_MAX) {
+					printf("%s: bad value: \"%s\", "
+					    "ignoring\n",
+					    "dhcp.interface-mtu", val);
+				} else {
+					intf_mtu = (u_int)tmp;
+				}
 			}
+			if (intf_mtu <= 0)
+				intf_mtu = be16dec(cp);
 		}
 #ifdef SUPPORT_DHCP
 		if (tag == TAG_DHCP_MSGTYPE) {
diff --git a/sys/boot/common/dev_net.c b/sys/boot/common/dev_net.c
index 76abb2eb50ba..1795767dc5b3 100644
--- a/sys/boot/common/dev_net.c
+++ b/sys/boot/common/dev_net.c
@@ -175,7 +175,7 @@ net_open(struct open_file *f, ...)
 		}
 		if (intf_mtu != 0) {
 			char mtu[16];
-			sprintf(mtu, "%u", intf_mtu);
+			snprintf(mtu, sizeof(mtu), "%u", intf_mtu);
 			setenv("boot.netif.mtu", mtu, 1);
 		}
 
diff --git a/sys/boot/i386/libi386/pxe.c b/sys/boot/i386/libi386/pxe.c
index db27220c1a14..8928a231b70e 100644
--- a/sys/boot/i386/libi386/pxe.c
+++ b/sys/boot/i386/libi386/pxe.c
@@ -342,7 +342,7 @@ pxe_open(struct open_file *f, ...)
 			}
 			if (intf_mtu != 0) {
 				char mtu[16];
-				sprintf(mtu, "%u", intf_mtu);
+				snprintf(sizeof(mtu), mtu, "%u", intf_mtu);
 				setenv("boot.netif.mtu", mtu, 1);
 			}
 			printf("pxe_open: server addr: %s\n", inet_ntoa(rootip));