]> git.ipfire.org Git - ipfire-2.x.git/blob - src/patches/dnsmasq/012-Compile-time_check_on_buffer_sizes_for_leasefile_parsing_code.patch
projects / ipfire-2.x.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
kernel: update to 3.14.79.
[ipfire-2.x.git] / src / patches / dnsmasq / 012-Compile-time_check_on_buffer_sizes_for_leasefile_parsing_code.patch
1 From bf4e62c19e619f7edf8d03d58d33a5752f190bfd Mon Sep 17 00:00:00 2001
2 From: Simon Kelley <simon@thekelleys.org.uk>
3 Date: Fri, 22 Jul 2016 21:37:59 +0100
4 Subject: [PATCH] Compile-time check on buffer sizes for leasefile parsing
5 code.
6
7 ---
8 src/dhcp-common.c | 16 ++++++++--------
9 src/dhcp-protocol.h | 4 ++++
10 src/lease.c | 9 ++++++++-
11 src/rfc3315.c | 2 +-
12 4 files changed, 21 insertions(+), 10 deletions(-)
13
14 diff --git a/src/dhcp-common.c b/src/dhcp-common.c
15 index 08528e8..ecc752b 100644
16 --- a/src/dhcp-common.c
17 +++ b/src/dhcp-common.c
18 @@ -20,11 +20,11 @@
19
20 void dhcp_common_init(void)
21 {
22 - /* These each hold a DHCP option max size 255
23 - and get a terminating zero added */
24 - daemon->dhcp_buff = safe_malloc(256);
25 - daemon->dhcp_buff2 = safe_malloc(256);
26 - daemon->dhcp_buff3 = safe_malloc(256);
27 + /* These each hold a DHCP option max size 255
28 + and get a terminating zero added */
29 + daemon->dhcp_buff = safe_malloc(DHCP_BUFF_SZ);
30 + daemon->dhcp_buff2 = safe_malloc(DHCP_BUFF_SZ);
31 + daemon->dhcp_buff3 = safe_malloc(DHCP_BUFF_SZ);
32
33 /* dhcp_packet is used by v4 and v6, outpacket only by v6
34 sizeof(struct dhcp_packet) is as good an initial size as any,
35 @@ -855,14 +855,14 @@ void log_context(int family, struct dhcp_context *context)
36 if (context->flags & CONTEXT_RA_STATELESS)
37 {
38 if (context->flags & CONTEXT_TEMPLATE)
39 - strncpy(daemon->dhcp_buff, context->template_interface, 256);
40 + strncpy(daemon->dhcp_buff, context->template_interface, DHCP_BUFF_SZ);
41 else
42 strcpy(daemon->dhcp_buff, daemon->addrbuff);
43 }
44 else
45 #endif
46 - inet_ntop(family, start, daemon->dhcp_buff, 256);
47 - inet_ntop(family, end, daemon->dhcp_buff3, 256);
48 + inet_ntop(family, start, daemon->dhcp_buff, DHCP_BUFF_SZ);
49 + inet_ntop(family, end, daemon->dhcp_buff3, DHCP_BUFF_SZ);
50 my_syslog(MS_DHCP | LOG_INFO,
51 (context->flags & CONTEXT_RA_STATELESS) ?
52 _("%s stateless on %s%.0s%.0s%s") :
53 diff --git a/src/dhcp-protocol.h b/src/dhcp-protocol.h
54 index a31d829..0ea449b 100644
55 --- a/src/dhcp-protocol.h
56 +++ b/src/dhcp-protocol.h
57 @@ -19,6 +19,10 @@
58 #define DHCP_CLIENT_ALTPORT 1068
59 #define PXE_PORT 4011
60
61 +/* These each hold a DHCP option max size 255
62 + and get a terminating zero added */
63 +#define DHCP_BUFF_SZ 256
64 +
65 #define BOOTREQUEST 1
66 #define BOOTREPLY 2
67 #define DHCP_COOKIE 0x63825363
68 diff --git a/src/lease.c b/src/lease.c
69 index 20cac90..ca62cc5 100644
70 --- a/src/lease.c
71 +++ b/src/lease.c
72 @@ -65,7 +65,14 @@ void lease_init(time_t now)
73 }
74
75 /* client-id max length is 255 which is 255*2 digits + 254 colons
76 - borrow DNS packet buffer which is always larger than 1000 bytes */
77 + borrow DNS packet buffer which is always larger than 1000 bytes
78 +
79 + Check various buffers are big enough for the code below */
80 +
81 +#if (DHCP_BUFF_SZ < 255) || (MAXDNAME < 64) || (PACKETSZ+MAXDNAME+RRFIXEDSZ < 764)
82 +# error Buffer size breakage in leasfile parsing.
83 +#endif
84 +
85 if (leasestream)
86 while (fscanf(leasestream, "%255s %255s", daemon->dhcp_buff3, daemon->dhcp_buff2) == 2)
87 {
88 diff --git a/src/rfc3315.c b/src/rfc3315.c
89 index c7bf46f..568b0c8 100644
90 --- a/src/rfc3315.c
91 +++ b/src/rfc3315.c
92 @@ -1975,7 +1975,7 @@ static void log6_packet(struct state *state, char *type, struct in6_addr *addr,
93
94 if (addr)
95 {
96 - inet_ntop(AF_INET6, addr, daemon->dhcp_buff2, 255);
97 + inet_ntop(AF_INET6, addr, daemon->dhcp_buff2, DHCP_BUFF_SZ - 1);
98 strcat(daemon->dhcp_buff2, " ");
99 }
100 else
101 --
102 1.7.10.4
103
IPFire 2.x development tree