dhcp: fix out of bounds access in "ANDROID_METERED" fix

the previous change introduces a out of bounds access as it does not change n. it is also conceptually wrong because this routine is supposed to just verify the structure. as later getopts() is *NOT* going to deal with malfored TLV's. this actually replaces the android magic garbage with OBpad bytes, which getopts() later will handle correctly and makes sure the garbage is fully contained within the buffer boundaries. thanks sigrid for testing.
author: cinap_lenrek <cinap_lenrek@felloff.net> 2023-05-15 00:57:15 +0000
committer: cinap_lenrek <cinap_lenrek@felloff.net> 2023-05-15 00:57:15 +0000
commit: 5f998f887f77d229aac3516fcf953b743ee0f0c3 (patch)
tree: 62363b70f42f792a815a676c6f1a120f917ff7dc /sys/src
parent: fb9b03d7878d7c4820cebdfc605639b669cb370b (diff)
1 files changed, 4 insertions, 4 deletions
diff --git a/sys/src/cmd/ip/ipconfig/dhcp.c b/sys/src/cmd/ip/ipconfig/dhcp.c
index dc26c401c..d66360e95 100644
--- a/sys/src/cmd/ip/ipconfig/dhcp.c
+++ b/sys/src/cmd/ip/ipconfig/dhcp.c
@@ -951,10 +951,10 @@ parseoptions(uchar *p, int n)
 
 	while (n > 0) {
 		/* Android shouldn't be sending us this garbage; filter it out */
-		if(strncmp((char*)p, "ANDROID_METERED", n) == 0){
-			p += strlen("ANDROID_METERED");
-			continue;
-		}
+		static char garbage[] = "ANDROID_METERED";
+		if(n >= sizeof(garbage)-1 && memcmp(p, garbage, sizeof(garbage)-1) == 0)
+			memset(p, OBpad, sizeof(garbage)-1);
+
 		code = *p++;
 		n--;
 		if(code == OBend)
author	cinap_lenrek <cinap_lenrek@felloff.net>	2023-05-15 00:57:15 +0000
committer	cinap_lenrek <cinap_lenrek@felloff.net>	2023-05-15 00:57:15 +0000
commit	5f998f887f77d229aac3516fcf953b743ee0f0c3 (patch)
tree	62363b70f42f792a815a676c6f1a120f917ff7dc /sys/src
parent	fb9b03d7878d7c4820cebdfc605639b669cb370b (diff)