svn commit: r299512 - head/sbin/dhclient

Wed, 11 May 2016 21:29:38 -0700 

Author: cem
Date: Thu May 12 04:28:22 2016
New Revision: 299512
URL: https://svnweb.freebsd.org/changeset/base/299512

Log:
  dhclient: Fix some trivial buffer overruns
  
  There was some confusion about how to limit a hardware address to at most 16
  bytes.  In some cases it would overrun a byte off the end of the array.
  Correct the types and rectify the overrun.
  
  Reported by:  Coverity
  CIDs:         1008682, 1305550
  Sponsored by: EMC / Isilon Storage Division

Modified:
  head/sbin/dhclient/dhclient.c

Modified: head/sbin/dhclient/dhclient.c
==============================================================================
--- head/sbin/dhclient/dhclient.c       Thu May 12 04:08:45 2016        
(r299511)
+++ head/sbin/dhclient/dhclient.c       Thu May 12 04:28:22 2016        
(r299512)
@@ -56,6 +56,8 @@
 #include <sys/cdefs.h>
 __FBSDID("$FreeBSD$");
 
+#include <stddef.h>
+
 #include "dhcpd.h"
 #include "privsep.h"
 
@@ -1570,16 +1572,18 @@ make_discover(struct interface_info *ip,
        }
 
        /* set unique client identifier */
-       char client_ident[sizeof(struct hardware)];
+       struct hardware client_ident;
        if (!options[DHO_DHCP_CLIENT_IDENTIFIER]) {
-               int hwlen = (ip->hw_address.hlen < sizeof(client_ident)-1) ?
-                               ip->hw_address.hlen : sizeof(client_ident)-1;
-               client_ident[0] = ip->hw_address.htype;
-               memcpy(&client_ident[1], ip->hw_address.haddr, hwlen);
+               size_t hwlen = MIN(ip->hw_address.hlen,
+                   sizeof(client_ident.haddr));
+               client_ident.htype = ip->hw_address.htype;
+               client_ident.hlen = hwlen;
+               memcpy(client_ident.haddr, ip->hw_address.haddr, hwlen);
                options[DHO_DHCP_CLIENT_IDENTIFIER] = 
&option_elements[DHO_DHCP_CLIENT_IDENTIFIER];
-               options[DHO_DHCP_CLIENT_IDENTIFIER]->value = client_ident;
-               options[DHO_DHCP_CLIENT_IDENTIFIER]->len = hwlen+1;
-               options[DHO_DHCP_CLIENT_IDENTIFIER]->buf_size = hwlen+1;
+               options[DHO_DHCP_CLIENT_IDENTIFIER]->value = (void 
*)&client_ident;
+               hwlen += offsetof(struct hardware, haddr);
+               options[DHO_DHCP_CLIENT_IDENTIFIER]->len = hwlen;
+               options[DHO_DHCP_CLIENT_IDENTIFIER]->buf_size = hwlen;
                options[DHO_DHCP_CLIENT_IDENTIFIER]->timeout = 0xFFFFFFFF;
        }
 
@@ -1605,8 +1609,8 @@ make_discover(struct interface_info *ip,
            0, sizeof(ip->client->packet.siaddr));
        memset(&(ip->client->packet.giaddr),
            0, sizeof(ip->client->packet.giaddr));
-       memcpy(ip->client->packet.chaddr,
-           ip->hw_address.haddr, ip->hw_address.hlen);
+       memcpy(ip->client->packet.chaddr, ip->hw_address.haddr,
+           MIN(ip->hw_address.hlen, sizeof(ip->client->packet.chaddr)));
 }
 
 
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"

Reply via email to