From: Tony Breeds <tony@bakeyournoodle.com>
Date: Fri, 16 Jul 2010 06:16:20 +0000 (+1000)
Subject: Avoid stack smash in parseing the vendor specific options.
X-Git-Tag: yaboot-1.3.17-rc1~1
X-Git-Url: http://git.ozlabs.org/?p=yaboot.git;a=commitdiff_plain;h=a5eb5ac3f50c7a4d532043dc9006fcf8eaf43c3e

Avoid stack smash in parseing the vendor specific options.

For yaboot we only really care about DHCP options that are alos IPv4
addresses.  Limit the memcpy() to 32bits.

Also we don't use the DHCP_DNS tag so remove it from the enum.

Signed-off-by: Tony Breeds <tony@bakeyournoodle.com>
---

diff --git a/second/file.c b/second/file.c
index debf7f4..466abf2 100644
--- a/second/file.c
+++ b/second/file.c
@@ -186,7 +186,6 @@ enum dhcp_options {
      DHCP_PAD = 0,
      DHCP_NETMASK = 1,
      DHCP_ROUTERS = 3,
-     DHCP_DNS = 6,
      DHCP_END = 255,
 };
 
@@ -218,13 +217,18 @@ extract_vendor_options(struct bootp_packet *packet, struct boot_fspec_t *result)
       *         it's malformed. :( */
      while (options[i] != DHCP_END) {
           __u8 tag = options[i++], len;
-          __u32 value;
+          __u32 value = 0;
 
           if (tag == DHCP_PAD)
                continue;
 
           len = options[i++];
-          memcpy(&value, &options[i], len);
+          /* Clamp the maxium length of the memcpy() to the right size for
+           * value. */
+          if (len > sizeof(value))
+               memcpy(&value, &options[i], sizeof(value));
+          else
+               memcpy(&value, &options[i], len);
 
 #if DEBUG
 {