Avoid stack smash in parseing the vendor specific options.
authorTony Breeds <tony@bakeyournoodle.com>
Fri, 16 Jul 2010 06:16:20 +0000 (16:16 +1000)
committerTony Breeds <tony@bakeyournoodle.com>
Fri, 16 Jul 2010 06:24:45 +0000 (16:24 +1000)
For yaboot we only really care about DHCP options that are alos IPv4
addresses.  Limit the memcpy() to 32bits.

Also we don't use the DHCP_DNS tag so remove it from the enum.

Signed-off-by: Tony Breeds <tony@bakeyournoodle.com>
second/file.c

index debf7f4..466abf2 100644 (file)
@@ -186,7 +186,6 @@ enum dhcp_options {
      DHCP_PAD = 0,
      DHCP_NETMASK = 1,
      DHCP_ROUTERS = 3,
-     DHCP_DNS = 6,
      DHCP_END = 255,
 };
 
@@ -218,13 +217,18 @@ extract_vendor_options(struct bootp_packet *packet, struct boot_fspec_t *result)
       *         it's malformed. :( */
      while (options[i] != DHCP_END) {
           __u8 tag = options[i++], len;
-          __u32 value;
+          __u32 value = 0;
 
           if (tag == DHCP_PAD)
                continue;
 
           len = options[i++];
-          memcpy(&value, &options[i], len);
+          /* Clamp the maxium length of the memcpy() to the right size for
+           * value. */
+          if (len > sizeof(value))
+               memcpy(&value, &options[i], sizeof(value));
+          else
+               memcpy(&value, &options[i], len);
 
 #if DEBUG
 {