* Add check for and prevent buffer overflow for BOOTP / DHCP string

  parameters

diff --git a/CHANGELOG b/CHANGELOG
index cf3c8bff57941c1c3573559da4cf08edde957409..20c397a4db5f3abddee54ffc400a61875fcdc3d1 100644 (file)
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -56,6 +56,9 @@ To do:
 Modifications for 1.0.5:
 ======================================================================
 
+* Add check for and prevent buffer overflow for BOOTP / DHCP string
+  parameters
+
 * Fix PUMA download on CCM board
 
 * allow 0x... prefix on input

diff --git a/include/net.h b/include/net.h
index 93a4c61704e45693b57753502a399a2f4303f269..068fd0faeba15fc8031eb2d4af5426d9af8d02ca 100644 (file)
--- a/include/net.h
+++ b/include/net.h
@@ -210,7 +210,7 @@ extern IPaddr_t             NetOurSubnetMask;       /* Our subnet mask (0 = unknown)*/
 extern IPaddr_t                NetOurDNSIP;     /* Our Domain Name Server (0 = unknown)*/
 extern char            NetOurNISDomain[32];    /* Our NIS domain               */
 extern char            NetOurHostName[32];     /* Our hostname                 */
-extern char            NetOurRootPath[32];     /* Our root path                */
+extern char            NetOurRootPath[64];     /* Our root path                */
 extern ushort          NetBootFileSize;        /* Our boot file size in blocks */
 /** END OF BOOTP EXTENTIONS **/
 extern ulong           NetBootFileXferSize;    /* size of bootfile in bytes    */

diff --git a/net/bootp.c b/net/bootp.c
index c5b32daab4f0b810ceeb301c4283b6f6a9da0dca..ba0b54b88c1eb14d93519682f18d7b60b8b6c1d0 100644 (file)
--- a/net/bootp.c
+++ b/net/bootp.c
@@ -108,7 +108,18 @@ void BootpCopyNetParams(Bootp_t *bp)
        setenv ("bootfile", BootFile);
 }
 
+static int truncate_sz (const char *name, int maxlen, int curlen)
+{
+       if (curlen >= maxlen) {
+               printf("*** WARNING: %s is too long (%d - max: %d) - truncated\n",
+                       name, curlen, maxlen);
+               curlen = maxlen - 1;
+       }
+       return (curlen);
+}
+
 #if !(CONFIG_COMMANDS & CFG_CMD_DHCP)
+
 static void BootpVendorFieldProcess(u8 *ext)
 {
     int size = *(ext+1) ;
@@ -152,6 +163,7 @@ static void BootpVendorFieldProcess(u8 *ext)
                break;
        case 12:        /* Host name                                    */
                if (NetOurHostName[0] == 0) {
+                   size = truncate_sz("Host Name", sizeof(NetOurHostName), size);
                    memcpy(&NetOurHostName, ext+2, size);
                    NetOurHostName[size] = 0 ;
                }
@@ -167,6 +179,7 @@ static void BootpVendorFieldProcess(u8 *ext)
                break;
        case 17:        /* Root path                                    */
                if (NetOurRootPath[0] == 0) {
+                   size = truncate_sz("Root Path", sizeof(NetOurRootPath), size);
                    memcpy(&NetOurRootPath, ext+2, size);
                    NetOurRootPath[size] = 0 ;
                }
@@ -181,6 +194,9 @@ static void BootpVendorFieldProcess(u8 *ext)
     /* IP host layer fields */
        case 40:        /* NIS Domain name                              */
                if (NetOurNISDomain[0] == 0) {
+                   size = truncate_sz ("NIS Domain Name",
+                                       sizeof(NetOurNISDomain),
+                                       size);
                    memcpy(&NetOurNISDomain, ext+2, size);
                    NetOurNISDomain[size] = 0 ;
                }
@@ -609,7 +625,7 @@ BootpRequest (void)
 void DhcpOptionsProcess(char *popt)
 {
        char *end = popt + BOOTP_HDR_SIZE;
-       int oplen;
+       int oplen, size;
 
        while ( popt < end && *popt != 0xff ) {
                oplen = *(popt + 1);
@@ -624,14 +640,20 @@ void DhcpOptionsProcess(char *popt)
                                NetOurDNSIP = *(IPaddr_t *)(popt +2);
                                break;
                        case 12:
-                               memcpy(&NetOurHostName, popt+2, oplen);
-                               NetOurHostName[oplen] = 0 ;
+                               size = truncate_sz ("Host Name",
+                                                   sizeof(NetOurHostName),
+                                                   oplen);
+                               memcpy(&NetOurHostName, popt+2, size);
+                               NetOurHostName[size] = 0 ;
                                break;
                        case 15:                /* Ignore Domain Name Option */
                                break;
                        case 17:
-                               memcpy(&NetOurRootPath, popt+2, oplen);
-                               NetOurRootPath[oplen] = 0 ;
+                               size = truncate_sz ("Root Path",
+                                                   sizeof(NetOurRootPath),
+                                                   oplen);
+                               memcpy(&NetOurRootPath, popt+2, size);
+                               NetOurRootPath[size] = 0 ;
                                break;
                        case 51:
                                dhcp_leasetime = *(unsigned int *)(popt + 2);

diff --git a/net/net.c b/net/net.c
index 443e208a7d0bd4510f20034f3321149703cd46f8..d6ddf411b31f36b27746a574dd4d751ac0a2f89e 100644 (file)
--- a/net/net.c
+++ b/net/net.c
@@ -79,7 +79,7 @@ IPaddr_t      NetOurGatewayIP=0;              /* Our gateways IP address      */
 IPaddr_t       NetOurDNSIP=0;                  /* Our DNS IP address           */
 char           NetOurNISDomain[32]={0,};       /* Our NIS domain               */
 char           NetOurHostName[32]={0,};        /* Our hostname                 */
-char           NetOurRootPath[32]={0,};        /* Our bootpath                 */
+char           NetOurRootPath[64]={0,};        /* Our bootpath                 */
 ushort         NetBootFileSize=0;              /* Our bootfile size in blocks  */
 
 /** END OF BOOTP EXTENTIONS **/