From a5eb5ac3f50c7a4d532043dc9006fcf8eaf43c3e Mon Sep 17 00:00:00 2001
From: Tony Breeds <tony@bakeyournoodle.com>
Date: Fri, 16 Jul 2010 16:16:20 +1000
Subject: [PATCH] Avoid stack smash in parseing the vendor specific options.

For yaboot we only really care about DHCP options that are alos IPv4
addresses.  Limit the memcpy() to 32bits.

Also we don't use the DHCP_DNS tag so remove it from the enum.

Signed-off-by: Tony Breeds <tony@bakeyournoodle.com>
---
 second/file.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/second/file.c b/second/file.c
index debf7f4..466abf2 100644
--- a/second/file.c
+++ b/second/file.c
@@ -186,7 +186,6 @@ enum dhcp_options {
      DHCP_PAD = 0,
      DHCP_NETMASK = 1,
      DHCP_ROUTERS = 3,
-     DHCP_DNS = 6,
      DHCP_END = 255,
 };
 
@@ -218,13 +217,18 @@ extract_vendor_options(struct bootp_packet *packet, struct boot_fspec_t *result)
       *         it's malformed. :( */
      while (options[i] != DHCP_END) {
           __u8 tag = options[i++], len;
-          __u32 value;
+          __u32 value = 0;
 
           if (tag == DHCP_PAD)
                continue;
 
           len = options[i++];
-          memcpy(&value, &options[i], len);
+          /* Clamp the maxium length of the memcpy() to the right size for
+           * value. */
+          if (len > sizeof(value))
+               memcpy(&value, &options[i], sizeof(value));
+          else
+               memcpy(&value, &options[i], len);
 
 #if DEBUG
 {
-- 
2.39.2