From owner-svn-src-all@freebsd.org  Wed May 18 23:41:56 2016
Return-Path: <owner-svn-src-all@freebsd.org>
Delivered-To: svn-src-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id C91B2B41C9F;
 Wed, 18 May 2016 23:41:56 +0000 (UTC) (envelope-from cem@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 98C311A35;
 Wed, 18 May 2016 23:41:56 +0000 (UTC) (envelope-from cem@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u4INft0r078404;
 Wed, 18 May 2016 23:41:55 GMT (envelope-from cem@FreeBSD.org)
Received: (from cem@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id u4INftgv078403;
 Wed, 18 May 2016 23:41:55 GMT (envelope-from cem@FreeBSD.org)
Message-Id: <201605182341.u4INftgv078403@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: cem set sender to cem@FreeBSD.org
 using -f
From: "Conrad E. Meyer" <cem@FreeBSD.org>
Date: Wed, 18 May 2016 23:41:55 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r300174 - head/sbin/dhclient
X-SVN-Group: head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 18 May 2016 23:41:56 -0000

Author: cem
Date: Wed May 18 23:41:55 2016
New Revision: 300174
URL: https://svnweb.freebsd.org/changeset/base/300174

Log:
  dhclient: Fix the trivial buffer overruns correctly
  
  A DHCP client identifier is simply the hardware type (one byte) concatenated
  with the hardware address (some variable number of bytes, but at most 16).
  Limit the size of the temporary buffer to match and the rest of the
  calculations shake out correctly.
  
  This is a follow-up to the incorrect r299512, reverted in r300172.
  
  CIDs:		1008682, 1305550
  Sponsored by:	EMC / Isilon Storage Division

Modified:
  head/sbin/dhclient/dhclient.c

Modified: head/sbin/dhclient/dhclient.c
==============================================================================
--- head/sbin/dhclient/dhclient.c	Wed May 18 23:39:31 2016	(r300173)
+++ head/sbin/dhclient/dhclient.c	Wed May 18 23:41:55 2016	(r300174)
@@ -1570,7 +1570,7 @@ make_discover(struct interface_info *ip,
 	}
 
 	/* set unique client identifier */
-	char client_ident[sizeof(struct hardware)];
+	char client_ident[sizeof(ip->hw_address.haddr) + 1];
 	if (!options[DHO_DHCP_CLIENT_IDENTIFIER]) {
 		int hwlen = (ip->hw_address.hlen < sizeof(client_ident)-1) ?
 				ip->hw_address.hlen : sizeof(client_ident)-1;