summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorkrw <krw@openbsd.org>2019-03-18 16:47:18 +0000
committerkrw <krw@openbsd.org>2019-03-18 16:47:18 +0000
commit5ddbaee5255ec8239f9dd754086ece6b7614dbca (patch)
treebb194eeaae8d602955a4be66b9d203e178bf2cf8
parentModify rasops_list_font_cb() to not filter out fonts with different (diff)
downloadwireguard-openbsd-5ddbaee5255ec8239f9dd754086ece6b7614dbca.tar.xz
wireguard-openbsd-5ddbaee5255ec8239f9dd754086ece6b7614dbca.zip
Add a couple of checks to ensure option data fits into the proposal
field being memcpy()'d into. Tweak DHO_ROUTERS handling to be similar to the other cases populating proposal->rtstatic, including a warning when things go wrong.
-rw-r--r--sbin/dhclient/dhclient.c19
1 files changed, 10 insertions, 9 deletions
diff --git a/sbin/dhclient/dhclient.c b/sbin/dhclient/dhclient.c
index 539fea61fa0..76c193955ff 100644
--- a/sbin/dhclient/dhclient.c
+++ b/sbin/dhclient/dhclient.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dhclient.c,v 1.625 2019/02/13 21:18:32 krw Exp $ */
+/* $OpenBSD: dhclient.c,v 1.626 2019/03/18 16:47:18 krw Exp $ */
/*
* Copyright 2004 Henning Brauer <henning@openbsd.org>
@@ -1911,28 +1911,28 @@ lease_as_proposal(struct client_lease *lease)
} else
log_warnx("%s: MS_CLASSLESS_STATIC_ROUTES too long",
log_procname);
- } else {
+ } else if (lease->options[DHO_ROUTERS].len != 0) {
opt = &lease->options[DHO_ROUTERS];
- if (opt->len >= sizeof(in_addr_t)) {
+ if (opt->len >= sizeof(in_addr_t) &&
+ (1 + sizeof(in_addr_t)) < sizeof(proposal->rtstatic)) {
proposal->rtstatic_len = 1 + sizeof(in_addr_t);
proposal->rtstatic[0] = 0;
memcpy(&proposal->rtstatic[1], opt->data,
sizeof(in_addr_t));
proposal->addrs |= RTA_STATIC;
- }
+ } else
+ log_warnx("%s: DHO_ROUTERS invalid", log_procname);
}
if (lease->options[DHO_DOMAIN_SEARCH].len != 0) {
opt = &lease->options[DHO_DOMAIN_SEARCH];
buf = pretty_print_domain_search(opt->data, opt->len);
- if (buf == NULL )
- log_warnx("%s: DOMAIN_SEARCH too long",
- log_procname);
- else {
+ if (buf != NULL && strlen(buf) < sizeof(proposal->rtsearch)) {
proposal->rtsearch_len = strlen(buf);
memcpy(proposal->rtsearch, buf, proposal->rtsearch_len);
proposal->addrs |= RTA_SEARCH;
- }
+ } else
+ log_warnx("%s: DOMAIN_SEARCH too long", log_procname);
} else if (lease->options[DHO_DOMAIN_NAME].len != 0) {
opt = &lease->options[DHO_DOMAIN_NAME];
if (opt->len < sizeof(proposal->rtsearch)) {
@@ -1942,6 +1942,7 @@ lease_as_proposal(struct client_lease *lease)
} else
log_warnx("%s: DOMAIN_NAME too long", log_procname);
}
+
if (lease->options[DHO_DOMAIN_NAME_SERVERS].len != 0) {
int servers;
opt = &lease->options[DHO_DOMAIN_NAME_SERVERS];