[dhcp] Copy exactly the required length when resizing DHCP options

When resizing DHCP options, iPXE currently calculates the length to be
copied by subtracting the destination pointer from the end of buffer
pointer.  This works and guarantees not to write beyond the end of the
buffer, but may end up reading beyond the end of the buffer.

Fix by calculating the required length exactly.

Signed-off-by: Michael Brown <mcb30@ipxe.org>

diff --git a/src/net/dhcpopts.c b/src/net/dhcpopts.c
index 6d29a7b5ec18edb67cc715899a2d74da65b05982..8cd19cf808a10116c8567bb5c4625d978167d75d 100644 (file)
--- a/src/net/dhcpopts.c
+++ b/src/net/dhcpopts.c
@@ -202,7 +202,6 @@ static int resize_dhcp_option ( struct dhcp_options *options,
        size_t new_encapsulator_len;
        void *source;
        void *dest;
-       void *end;
        int rc;
 
        /* Check for sufficient space */
@@ -245,8 +244,7 @@ static int resize_dhcp_option ( struct dhcp_options *options,
        option = dhcp_option ( options, offset );
        source = ( ( ( void * ) option ) + old_len );
        dest = ( ( ( void * ) option ) + new_len );
-       end = ( options->data + options->alloc_len );
-       memmove ( dest, source, ( end - dest ) );
+       memmove ( dest, source, ( new_used_len - offset - new_len ) );
 
        /* Shrink options block, if applicable */
        if ( new_used_len < options->alloc_len ) {