diff options
| author |   krw <krw@openbsd.org> | 2008-01-18 20:14:03 +0000 |
|---|---|---|
| committer | krw <krw@openbsd.org> | 2008-01-18 20:14:03 +0000 |
| commit | da28a0bf292c81e8ce360b64cafa3274024194ec (patch) | |
| tree | f1097a3eede2482fb774f8381f0a5363b489d551 | |
| parent | Add environ(4). (diff) | |
| download | wireguard-openbsd-da28a0bf292c81e8ce360b64cafa3274024194ec.tar.xz wireguard-openbsd-da28a0bf292c81e8ce360b64cafa3274024194ec.zip | |
Call store_options() with correct cutoff values, i.e. ones not 7 bytes
too large. Fixes a problem where a nicely crafted packet could crash
dhcpd. Nuke a superfluous declaration of store_options() while here.
Problem found and fix tested by Peter Hessler.
ok beck@ millert@ henning@
| -rw-r--r-- | usr.sbin/dhcpd/dhcpd.h | 4 | ||||
| -rw-r--r-- | usr.sbin/dhcpd/options.c | 6 |
2 files changed, 4 insertions, 6 deletions
diff --git a/usr.sbin/dhcpd/dhcpd.h b/usr.sbin/dhcpd/dhcpd.h index 80b2a333f4f..3472ab40f27 100644 --- a/usr.sbin/dhcpd/dhcpd.h +++ b/usr.sbin/dhcpd/dhcpd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: dhcpd.h,v 1.34 2007/10/29 16:51:02 krw Exp $ */ +/* $OpenBSD: dhcpd.h,v 1.35 2008/01/18 20:14:03 krw Exp $ */ /* * Copyright (c) 1995, 1996, 1997, 1998, 1999 @@ -472,8 +472,6 @@ void parse_options(struct packet *); void parse_option_buffer(struct packet *, unsigned char *, int); int cons_options(struct packet *, struct dhcp_packet *, int, struct tree_cache **, int, int, int, u_int8_t *, int); -int store_options(unsigned char *, int, struct tree_cache **, - unsigned char *, int, int, int); char *pretty_print_option(unsigned int, unsigned char *, int, int, int); void do_packet(struct interface_info *, struct dhcp_packet *, int, unsigned int, struct iaddr, struct hardware *); diff --git a/usr.sbin/dhcpd/options.c b/usr.sbin/dhcpd/options.c index d98dfff221a..749b387f6a1 100644 --- a/usr.sbin/dhcpd/options.c +++ b/usr.sbin/dhcpd/options.c @@ -1,4 +1,4 @@ -/* $OpenBSD: options.c,v 1.19 2007/10/29 16:51:02 krw Exp $ */ +/* $OpenBSD: options.c,v 1.20 2008/01/18 20:14:03 krw Exp $ */ /* DHCP options parsing and reassembly. */ @@ -308,8 +308,8 @@ cons_options(struct packet *inpacket, struct dhcp_packet *outpacket, buffer, (main_buffer_size - 7 + ((overload & 1) ? DHCP_FILE_LEN : 0) + ((overload & 2) ? DHCP_SNAME_LEN : 0)), - options, priority_list, main_buffer_size, - (main_buffer_size + ((overload & 1) ? DHCP_FILE_LEN : 0)), + options, priority_list, main_buffer_size - 7, + (main_buffer_size - 7 + ((overload & 1) ? DHCP_FILE_LEN : 0)), terminate); /* Initialize the buffers to be used and put the cookie up front. */ |