ip/dhcpd: prevent client from increasing max reply size beyond the reply buffer capacity

This commit is contained in:
cinap_lenrek 2019-10-22 06:53:50 +02:00
parent 9314883aff
commit ff44b92c96

View file

@ -1078,17 +1078,22 @@ parseoptions(Req *rp)
v4tov6(rp->server, o); v4tov6(rp->server, o);
break; break;
case ODmessage: case ODmessage:
if(n > sizeof rp->msg-1) if(n > sizeof(rp->msg)-1)
n = sizeof rp->msg-1; n = sizeof(rp->msg)-1;
memmove(rp->msg, o, n); memmove(rp->msg, o, n);
rp->msg[n] = 0; rp->msg[n] = 0;
break; break;
case ODmaxmsg: case ODmaxmsg:
if(n < 2)
break;
c = nhgets(o); c = nhgets(o);
c -= 28; c -= IPUDPHDRSIZE;
if(c <= 0)
break;
c += Udphdrsize; c += Udphdrsize;
if(c > 0) if(c > sizeof(rp->buf))
rp->max = rp->buf + c; c = sizeof(rp->buf);
rp->max = rp->buf + c;
break; break;
case ODclientid: case ODclientid:
if(n <= 1) if(n <= 1)