]>
Commit | Line | Data |
---|---|---|
c3afb9c6 MF |
1 | From bf4e62c19e619f7edf8d03d58d33a5752f190bfd Mon Sep 17 00:00:00 2001 |
2 | From: Simon Kelley <simon@thekelleys.org.uk> | |
3 | Date: Fri, 22 Jul 2016 21:37:59 +0100 | |
4 | Subject: [PATCH] Compile-time check on buffer sizes for leasefile parsing | |
5 | code. | |
6 | ||
7 | --- | |
8 | src/dhcp-common.c | 16 ++++++++-------- | |
9 | src/dhcp-protocol.h | 4 ++++ | |
10 | src/lease.c | 9 ++++++++- | |
11 | src/rfc3315.c | 2 +- | |
12 | 4 files changed, 21 insertions(+), 10 deletions(-) | |
13 | ||
14 | diff --git a/src/dhcp-common.c b/src/dhcp-common.c | |
15 | index 08528e8..ecc752b 100644 | |
16 | --- a/src/dhcp-common.c | |
17 | +++ b/src/dhcp-common.c | |
18 | @@ -20,11 +20,11 @@ | |
19 | ||
20 | void dhcp_common_init(void) | |
21 | { | |
22 | - /* These each hold a DHCP option max size 255 | |
23 | - and get a terminating zero added */ | |
24 | - daemon->dhcp_buff = safe_malloc(256); | |
25 | - daemon->dhcp_buff2 = safe_malloc(256); | |
26 | - daemon->dhcp_buff3 = safe_malloc(256); | |
27 | + /* These each hold a DHCP option max size 255 | |
28 | + and get a terminating zero added */ | |
29 | + daemon->dhcp_buff = safe_malloc(DHCP_BUFF_SZ); | |
30 | + daemon->dhcp_buff2 = safe_malloc(DHCP_BUFF_SZ); | |
31 | + daemon->dhcp_buff3 = safe_malloc(DHCP_BUFF_SZ); | |
32 | ||
33 | /* dhcp_packet is used by v4 and v6, outpacket only by v6 | |
34 | sizeof(struct dhcp_packet) is as good an initial size as any, | |
35 | @@ -855,14 +855,14 @@ void log_context(int family, struct dhcp_context *context) | |
36 | if (context->flags & CONTEXT_RA_STATELESS) | |
37 | { | |
38 | if (context->flags & CONTEXT_TEMPLATE) | |
39 | - strncpy(daemon->dhcp_buff, context->template_interface, 256); | |
40 | + strncpy(daemon->dhcp_buff, context->template_interface, DHCP_BUFF_SZ); | |
41 | else | |
42 | strcpy(daemon->dhcp_buff, daemon->addrbuff); | |
43 | } | |
44 | else | |
45 | #endif | |
46 | - inet_ntop(family, start, daemon->dhcp_buff, 256); | |
47 | - inet_ntop(family, end, daemon->dhcp_buff3, 256); | |
48 | + inet_ntop(family, start, daemon->dhcp_buff, DHCP_BUFF_SZ); | |
49 | + inet_ntop(family, end, daemon->dhcp_buff3, DHCP_BUFF_SZ); | |
50 | my_syslog(MS_DHCP | LOG_INFO, | |
51 | (context->flags & CONTEXT_RA_STATELESS) ? | |
52 | _("%s stateless on %s%.0s%.0s%s") : | |
53 | diff --git a/src/dhcp-protocol.h b/src/dhcp-protocol.h | |
54 | index a31d829..0ea449b 100644 | |
55 | --- a/src/dhcp-protocol.h | |
56 | +++ b/src/dhcp-protocol.h | |
57 | @@ -19,6 +19,10 @@ | |
58 | #define DHCP_CLIENT_ALTPORT 1068 | |
59 | #define PXE_PORT 4011 | |
60 | ||
61 | +/* These each hold a DHCP option max size 255 | |
62 | + and get a terminating zero added */ | |
63 | +#define DHCP_BUFF_SZ 256 | |
64 | + | |
65 | #define BOOTREQUEST 1 | |
66 | #define BOOTREPLY 2 | |
67 | #define DHCP_COOKIE 0x63825363 | |
68 | diff --git a/src/lease.c b/src/lease.c | |
69 | index 20cac90..ca62cc5 100644 | |
70 | --- a/src/lease.c | |
71 | +++ b/src/lease.c | |
72 | @@ -65,7 +65,14 @@ void lease_init(time_t now) | |
73 | } | |
74 | ||
75 | /* client-id max length is 255 which is 255*2 digits + 254 colons | |
76 | - borrow DNS packet buffer which is always larger than 1000 bytes */ | |
77 | + borrow DNS packet buffer which is always larger than 1000 bytes | |
78 | + | |
79 | + Check various buffers are big enough for the code below */ | |
80 | + | |
81 | +#if (DHCP_BUFF_SZ < 255) || (MAXDNAME < 64) || (PACKETSZ+MAXDNAME+RRFIXEDSZ < 764) | |
82 | +# error Buffer size breakage in leasfile parsing. | |
83 | +#endif | |
84 | + | |
85 | if (leasestream) | |
86 | while (fscanf(leasestream, "%255s %255s", daemon->dhcp_buff3, daemon->dhcp_buff2) == 2) | |
87 | { | |
88 | diff --git a/src/rfc3315.c b/src/rfc3315.c | |
89 | index c7bf46f..568b0c8 100644 | |
90 | --- a/src/rfc3315.c | |
91 | +++ b/src/rfc3315.c | |
92 | @@ -1975,7 +1975,7 @@ static void log6_packet(struct state *state, char *type, struct in6_addr *addr, | |
93 | ||
94 | if (addr) | |
95 | { | |
96 | - inet_ntop(AF_INET6, addr, daemon->dhcp_buff2, 255); | |
97 | + inet_ntop(AF_INET6, addr, daemon->dhcp_buff2, DHCP_BUFF_SZ - 1); | |
98 | strcat(daemon->dhcp_buff2, " "); | |
99 | } | |
100 | else | |
101 | -- | |
102 | 1.7.10.4 | |
103 |