ip/dhcpd: prevent client from increasing max reply size beyond the reply buffer capacity
This commit is contained in:
parent
9314883aff
commit
ff44b92c96
1 changed files with 10 additions and 5 deletions
|
@ -1078,17 +1078,22 @@ parseoptions(Req *rp)
|
||||||
v4tov6(rp->server, o);
|
v4tov6(rp->server, o);
|
||||||
break;
|
break;
|
||||||
case ODmessage:
|
case ODmessage:
|
||||||
if(n > sizeof rp->msg-1)
|
if(n > sizeof(rp->msg)-1)
|
||||||
n = sizeof rp->msg-1;
|
n = sizeof(rp->msg)-1;
|
||||||
memmove(rp->msg, o, n);
|
memmove(rp->msg, o, n);
|
||||||
rp->msg[n] = 0;
|
rp->msg[n] = 0;
|
||||||
break;
|
break;
|
||||||
case ODmaxmsg:
|
case ODmaxmsg:
|
||||||
|
if(n < 2)
|
||||||
|
break;
|
||||||
c = nhgets(o);
|
c = nhgets(o);
|
||||||
c -= 28;
|
c -= IPUDPHDRSIZE;
|
||||||
|
if(c <= 0)
|
||||||
|
break;
|
||||||
c += Udphdrsize;
|
c += Udphdrsize;
|
||||||
if(c > 0)
|
if(c > sizeof(rp->buf))
|
||||||
rp->max = rp->buf + c;
|
c = sizeof(rp->buf);
|
||||||
|
rp->max = rp->buf + c;
|
||||||
break;
|
break;
|
||||||
case ODclientid:
|
case ODclientid:
|
||||||
if(n <= 1)
|
if(n <= 1)
|
||||||
|
|
Loading…
Reference in a new issue