diff options
| author |   krw <krw@openbsd.org> | 2008-01-18 20:14:03 +0000 |
|---|---|---|
| committer | krw <krw@openbsd.org> | 2008-01-18 20:14:03 +0000 |
| commit | da28a0bf292c81e8ce360b64cafa3274024194ec (patch) | |
| tree | f1097a3eede2482fb774f8381f0a5363b489d551 /usr.sbin/dhcpd/options.c | |
| parent | Add environ(4). (diff) | |
| download | wireguard-openbsd-da28a0bf292c81e8ce360b64cafa3274024194ec.tar.xz wireguard-openbsd-da28a0bf292c81e8ce360b64cafa3274024194ec.zip | |
Call store_options() with correct cutoff values, i.e. ones not 7 bytes
too large. Fixes a problem where a nicely crafted packet could crash
dhcpd. Nuke a superfluous declaration of store_options() while here.
Problem found and fix tested by Peter Hessler.
ok beck@ millert@ henning@
Diffstat (limited to 'usr.sbin/dhcpd/options.c')
| -rw-r--r-- | usr.sbin/dhcpd/options.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/usr.sbin/dhcpd/options.c b/usr.sbin/dhcpd/options.c index d98dfff221a..749b387f6a1 100644 --- a/usr.sbin/dhcpd/options.c +++ b/usr.sbin/dhcpd/options.c @@ -1,4 +1,4 @@ -/* $OpenBSD: options.c,v 1.19 2007/10/29 16:51:02 krw Exp $ */ +/* $OpenBSD: options.c,v 1.20 2008/01/18 20:14:03 krw Exp $ */ /* DHCP options parsing and reassembly. */ @@ -308,8 +308,8 @@ cons_options(struct packet *inpacket, struct dhcp_packet *outpacket, buffer, (main_buffer_size - 7 + ((overload & 1) ? DHCP_FILE_LEN : 0) + ((overload & 2) ? DHCP_SNAME_LEN : 0)), - options, priority_list, main_buffer_size, - (main_buffer_size + ((overload & 1) ? DHCP_FILE_LEN : 0)), + options, priority_list, main_buffer_size - 7, + (main_buffer_size - 7 + ((overload & 1) ? DHCP_FILE_LEN : 0)), terminate); /* Initialize the buffers to be used and put the cookie up front. */ |