diff options
| author | cinap_lenrek <cinap_lenrek@felloff.net> | 2019-10-22 06:53:50 +0200 |
|---|---|---|
| committer | cinap_lenrek <cinap_lenrek@felloff.net> | 2019-10-22 06:53:50 +0200 |
| commit | ff44b92c9641ffae799a5e12f88eb42294f24f2f (patch) | |
| tree | 1653a74e6a02a4c0828ae40836ac861e76611ab6 | |
| parent | 9314883aff7950820a26782d863a78d18be93635 (diff) | |
ip/dhcpd: prevent client from increasing max reply size beyond the reply buffer capacity
| -rw-r--r-- | sys/src/cmd/ip/dhcpd/dhcpd.c | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/sys/src/cmd/ip/dhcpd/dhcpd.c b/sys/src/cmd/ip/dhcpd/dhcpd.c index ee2a7ebaf..7ca52a049 100644 --- a/sys/src/cmd/ip/dhcpd/dhcpd.c +++ b/sys/src/cmd/ip/dhcpd/dhcpd.c @@ -1078,17 +1078,22 @@ parseoptions(Req *rp) v4tov6(rp->server, o); break; case ODmessage: - if(n > sizeof rp->msg-1) - n = sizeof rp->msg-1; + if(n > sizeof(rp->msg)-1) + n = sizeof(rp->msg)-1; memmove(rp->msg, o, n); rp->msg[n] = 0; break; case ODmaxmsg: + if(n < 2) + break; c = nhgets(o); - c -= 28; + c -= IPUDPHDRSIZE; + if(c <= 0) + break; c += Udphdrsize; - if(c > 0) - rp->max = rp->buf + c; + if(c > sizeof(rp->buf)) + c = sizeof(rp->buf); + rp->max = rp->buf + c; break; case ODclientid: if(n <= 1) |