net: dhcpv6: Prevent buffer overflow during BOOTFILE_URL parsing

The net_boot_file_name is a 1024 byte buffer.
However, based on DHCPv6 RFC, bootfile-url length is
specified by option_len, a 16-bit unsigned integer
(valid range: 0-65535).
Hence, one needs to make sure that option_len is less
than the size of net_boot_file_name array before copying
bootfile-url to net_boot_file_name.

Signed-off-by: Francois Berder <fberder@outlook.fr>
Reviewed-by: Jerome Forissier <jerome.forissier@arm.com>

diff --git a/net/dhcpv6.c b/net/dhcpv6.c
index 5bf935cb6a301db8db028ca34b4de53f2997dca5..51f44979f8e8bec686f414b2ba4c583610b60731 100644 (file)
--- a/net/dhcpv6.c
+++ b/net/dhcpv6.c
@@ -377,6 +377,11 @@ static void dhcp6_parse_options(uchar *rx_pkt, unsigned int len)
                        break;
                case DHCP6_OPTION_OPT_BOOTFILE_URL:
                        debug("DHCP6_OPTION_OPT_BOOTFILE_URL FOUND\n");
+                       if (option_len >= sizeof(net_boot_file_name)) {
+                               debug("Option length for BOOTFILE_URL is greater or equal than %zu. Skipping\n",
+                                     sizeof(net_boot_file_name));
+                               break;
+                       }
                        copy_filename(net_boot_file_name, option_ptr, option_len + 1);
                        debug("net_boot_file_name: %s\n", net_boot_file_name);