Date: Thu, 12 May 2016 04:28:22 +0000 (UTC) From: "Conrad E. Meyer" <cem@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r299512 - head/sbin/dhclient Message-ID: <201605120428.u4C4SMJc050809@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: cem Date: Thu May 12 04:28:22 2016 New Revision: 299512 URL: https://svnweb.freebsd.org/changeset/base/299512 Log: dhclient: Fix some trivial buffer overruns There was some confusion about how to limit a hardware address to at most 16 bytes. In some cases it would overrun a byte off the end of the array. Correct the types and rectify the overrun. Reported by: Coverity CIDs: 1008682, 1305550 Sponsored by: EMC / Isilon Storage Division Modified: head/sbin/dhclient/dhclient.c Modified: head/sbin/dhclient/dhclient.c ============================================================================== --- head/sbin/dhclient/dhclient.c Thu May 12 04:08:45 2016 (r299511) +++ head/sbin/dhclient/dhclient.c Thu May 12 04:28:22 2016 (r299512) @@ -56,6 +56,8 @@ #include <sys/cdefs.h> __FBSDID("$FreeBSD$"); +#include <stddef.h> + #include "dhcpd.h" #include "privsep.h" @@ -1570,16 +1572,18 @@ make_discover(struct interface_info *ip, } /* set unique client identifier */ - char client_ident[sizeof(struct hardware)]; + struct hardware client_ident; if (!options[DHO_DHCP_CLIENT_IDENTIFIER]) { - int hwlen = (ip->hw_address.hlen < sizeof(client_ident)-1) ? - ip->hw_address.hlen : sizeof(client_ident)-1; - client_ident[0] = ip->hw_address.htype; - memcpy(&client_ident[1], ip->hw_address.haddr, hwlen); + size_t hwlen = MIN(ip->hw_address.hlen, + sizeof(client_ident.haddr)); + client_ident.htype = ip->hw_address.htype; + client_ident.hlen = hwlen; + memcpy(client_ident.haddr, ip->hw_address.haddr, hwlen); options[DHO_DHCP_CLIENT_IDENTIFIER] = &option_elements[DHO_DHCP_CLIENT_IDENTIFIER]; - options[DHO_DHCP_CLIENT_IDENTIFIER]->value = client_ident; - options[DHO_DHCP_CLIENT_IDENTIFIER]->len = hwlen+1; - options[DHO_DHCP_CLIENT_IDENTIFIER]->buf_size = hwlen+1; + options[DHO_DHCP_CLIENT_IDENTIFIER]->value = (void *)&client_ident; + hwlen += offsetof(struct hardware, haddr); + options[DHO_DHCP_CLIENT_IDENTIFIER]->len = hwlen; + options[DHO_DHCP_CLIENT_IDENTIFIER]->buf_size = hwlen; options[DHO_DHCP_CLIENT_IDENTIFIER]->timeout = 0xFFFFFFFF; } @@ -1605,8 +1609,8 @@ make_discover(struct interface_info *ip, 0, sizeof(ip->client->packet.siaddr)); memset(&(ip->client->packet.giaddr), 0, sizeof(ip->client->packet.giaddr)); - memcpy(ip->client->packet.chaddr, - ip->hw_address.haddr, ip->hw_address.hlen); + memcpy(ip->client->packet.chaddr, ip->hw_address.haddr, + MIN(ip->hw_address.hlen, sizeof(ip->client->packet.chaddr))); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201605120428.u4C4SMJc050809>