ip/dhcpd: prevent client from increasing max reply size beyond the reply buffer capacity

author: cinap_lenrek <cinap_lenrek@felloff.net> 2019-10-22 06:53:50 +0200
committer: cinap_lenrek <cinap_lenrek@felloff.net> 2019-10-22 06:53:50 +0200
commit: ff44b92c9641ffae799a5e12f88eb42294f24f2f (patch)
tree: 1653a74e6a02a4c0828ae40836ac861e76611ab6 /sys/src/cmd/ip/dhcpd/dhcpd.c
parent: 9314883aff7950820a26782d863a78d18be93635 (diff)
1 files changed, 10 insertions, 5 deletions
diff --git a/sys/src/cmd/ip/dhcpd/dhcpd.c b/sys/src/cmd/ip/dhcpd/dhcpd.c
index ee2a7ebaf..7ca52a049 100644
--- a/sys/src/cmd/ip/dhcpd/dhcpd.c
+++ b/sys/src/cmd/ip/dhcpd/dhcpd.c
@@ -1078,17 +1078,22 @@ parseoptions(Req *rp)
 				v4tov6(rp->server, o);
 			break;
 		case ODmessage:
-			if(n > sizeof rp->msg-1)
-				n = sizeof rp->msg-1;
+			if(n > sizeof(rp->msg)-1)
+				n = sizeof(rp->msg)-1;
 			memmove(rp->msg, o, n);
 			rp->msg[n] = 0;
 			break;
 		case ODmaxmsg:
+			if(n < 2)
+				break;
 			c = nhgets(o);
-			c -= 28;
+			c -= IPUDPHDRSIZE;
+			if(c <= 0)
+				break;
 			c += Udphdrsize;
-			if(c > 0)
-				rp->max = rp->buf + c;
+			if(c > sizeof(rp->buf))
+				c = sizeof(rp->buf);
+			rp->max = rp->buf + c;
 			break;
 		case ODclientid:
 			if(n <= 1)
author	cinap_lenrek <cinap_lenrek@felloff.net>	2019-10-22 06:53:50 +0200
committer	cinap_lenrek <cinap_lenrek@felloff.net>	2019-10-22 06:53:50 +0200
commit	ff44b92c9641ffae799a5e12f88eb42294f24f2f (patch)
tree	1653a74e6a02a4c0828ae40836ac861e76611ab6 /sys/src/cmd/ip/dhcpd/dhcpd.c
parent	9314883aff7950820a26782d863a78d18be93635 (diff)