From: wdenk Date: Mon, 13 Aug 2001 17:11:06 +0000 (+0000) Subject: * Add check for and prevent buffer overflow for BOOTP / DHCP string X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=73bc74a082e6c0d3568fea74a38330a56311d14f;p=users%2Frw%2Fppcboot.git * Add check for and prevent buffer overflow for BOOTP / DHCP string parameters --- diff --git a/CHANGELOG b/CHANGELOG index cf3c8bf..20c397a 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -56,6 +56,9 @@ To do: Modifications for 1.0.5: ====================================================================== +* Add check for and prevent buffer overflow for BOOTP / DHCP string + parameters + * Fix PUMA download on CCM board * allow 0x... prefix on input diff --git a/include/net.h b/include/net.h index 93a4c61..068fd0f 100644 --- a/include/net.h +++ b/include/net.h @@ -210,7 +210,7 @@ extern IPaddr_t NetOurSubnetMask; /* Our subnet mask (0 = unknown)*/ extern IPaddr_t NetOurDNSIP; /* Our Domain Name Server (0 = unknown)*/ extern char NetOurNISDomain[32]; /* Our NIS domain */ extern char NetOurHostName[32]; /* Our hostname */ -extern char NetOurRootPath[32]; /* Our root path */ +extern char NetOurRootPath[64]; /* Our root path */ extern ushort NetBootFileSize; /* Our boot file size in blocks */ /** END OF BOOTP EXTENTIONS **/ extern ulong NetBootFileXferSize; /* size of bootfile in bytes */ diff --git a/net/bootp.c b/net/bootp.c index c5b32da..ba0b54b 100644 --- a/net/bootp.c +++ b/net/bootp.c @@ -108,7 +108,18 @@ void BootpCopyNetParams(Bootp_t *bp) setenv ("bootfile", BootFile); } +static int truncate_sz (const char *name, int maxlen, int curlen) +{ + if (curlen >= maxlen) { + printf("*** WARNING: %s is too long (%d - max: %d) - truncated\n", + name, curlen, maxlen); + curlen = maxlen - 1; + } + return (curlen); +} + #if !(CONFIG_COMMANDS & CFG_CMD_DHCP) + static void BootpVendorFieldProcess(u8 *ext) { int size = *(ext+1) ; @@ -152,6 +163,7 @@ static void BootpVendorFieldProcess(u8 *ext) break; case 12: /* Host name */ if (NetOurHostName[0] == 0) { + size = truncate_sz("Host Name", sizeof(NetOurHostName), size); memcpy(&NetOurHostName, ext+2, size); NetOurHostName[size] = 0 ; } @@ -167,6 +179,7 @@ static void BootpVendorFieldProcess(u8 *ext) break; case 17: /* Root path */ if (NetOurRootPath[0] == 0) { + size = truncate_sz("Root Path", sizeof(NetOurRootPath), size); memcpy(&NetOurRootPath, ext+2, size); NetOurRootPath[size] = 0 ; } @@ -181,6 +194,9 @@ static void BootpVendorFieldProcess(u8 *ext) /* IP host layer fields */ case 40: /* NIS Domain name */ if (NetOurNISDomain[0] == 0) { + size = truncate_sz ("NIS Domain Name", + sizeof(NetOurNISDomain), + size); memcpy(&NetOurNISDomain, ext+2, size); NetOurNISDomain[size] = 0 ; } @@ -609,7 +625,7 @@ BootpRequest (void) void DhcpOptionsProcess(char *popt) { char *end = popt + BOOTP_HDR_SIZE; - int oplen; + int oplen, size; while ( popt < end && *popt != 0xff ) { oplen = *(popt + 1); @@ -624,14 +640,20 @@ void DhcpOptionsProcess(char *popt) NetOurDNSIP = *(IPaddr_t *)(popt +2); break; case 12: - memcpy(&NetOurHostName, popt+2, oplen); - NetOurHostName[oplen] = 0 ; + size = truncate_sz ("Host Name", + sizeof(NetOurHostName), + oplen); + memcpy(&NetOurHostName, popt+2, size); + NetOurHostName[size] = 0 ; break; case 15: /* Ignore Domain Name Option */ break; case 17: - memcpy(&NetOurRootPath, popt+2, oplen); - NetOurRootPath[oplen] = 0 ; + size = truncate_sz ("Root Path", + sizeof(NetOurRootPath), + oplen); + memcpy(&NetOurRootPath, popt+2, size); + NetOurRootPath[size] = 0 ; break; case 51: dhcp_leasetime = *(unsigned int *)(popt + 2); diff --git a/net/net.c b/net/net.c index 443e208..d6ddf41 100644 --- a/net/net.c +++ b/net/net.c @@ -79,7 +79,7 @@ IPaddr_t NetOurGatewayIP=0; /* Our gateways IP address */ IPaddr_t NetOurDNSIP=0; /* Our DNS IP address */ char NetOurNISDomain[32]={0,}; /* Our NIS domain */ char NetOurHostName[32]={0,}; /* Our hostname */ -char NetOurRootPath[32]={0,}; /* Our bootpath */ +char NetOurRootPath[64]={0,}; /* Our bootpath */ ushort NetBootFileSize=0; /* Our bootfile size in blocks */ /** END OF BOOTP EXTENTIONS **/