From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 26 Aug 2015 17:18:11 +0000 (+0200)
Subject: dhcp: be more careful when parsing strings from DHCP packets
X-Git-Tag: v226~89^2~34
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=43f447b121b38c01a7c5626a51cc571a822250b8;p=thirdparty%2Fsystemd.git

dhcp: be more careful when parsing strings from DHCP packets

Let's make sure there's no embedded 0 byte. Also, let's reset the string
if the length is zero.
---

diff --git a/src/libsystemd-network/sd-dhcp-lease.c b/src/libsystemd-network/sd-dhcp-lease.c
index f5b9e225899..57369a353de 100644
--- a/src/libsystemd-network/sd-dhcp-lease.c
+++ b/src/libsystemd-network/sd-dhcp-lease.c
@@ -287,13 +287,17 @@ static int lease_parse_string(const uint8_t *option, size_t len, char **ret) {
         if (len >= 1) {
                 char *string;
 
+                if (memchr(option, 0, len))
+                        return -EINVAL;
+
                 string = strndup((const char *)option, len);
                 if (!string)
-                        return -errno;
+                        return -ENOMEM;
 
                 free(*ret);
                 *ret = string;
-        }
+        } else
+                *ret = mfree(*ret);
 
         return 0;
 }