diff options
author | Kenneth R Westerback <krw@cvs.openbsd.org> | 2007-01-11 00:04:49 +0000 |
---|---|---|
committer | Kenneth R Westerback <krw@cvs.openbsd.org> | 2007-01-11 00:04:49 +0000 |
commit | d1e403547360172021b67c50c76c748168249cac (patch) | |
tree | aee0186deb52e64a3d0ff8c849c20924b3cdd056 /sbin | |
parent | 9ef1f735e7b596535b8ea6c3045d5ed97ba7ca41 (diff) |
Reject all packets with an option claiming to extend past the end of
an option buffer. No longer accept the 6th such packet. From ISC.
ok ckuethe@ stevesk@
Diffstat (limited to 'sbin')
-rw-r--r-- | sbin/dhclient/options.c | 45 |
1 files changed, 13 insertions, 32 deletions
diff --git a/sbin/dhclient/options.c b/sbin/dhclient/options.c index 2e2d57b4f34..fd69f805014 100644 --- a/sbin/dhclient/options.c +++ b/sbin/dhclient/options.c @@ -1,4 +1,4 @@ -/* $OpenBSD: options.c,v 1.29 2007/01/06 23:21:08 krw Exp $ */ +/* $OpenBSD: options.c,v 1.30 2007/01/11 00:04:48 krw Exp $ */ /* DHCP options parsing and reassembly. */ @@ -44,9 +44,6 @@ #include "dhcpd.h" -int bad_options = 0; -int bad_options_max = 5; - void parse_options(struct packet *); void parse_option_buffer(struct packet *, unsigned char *, int); @@ -109,41 +106,25 @@ parse_option_buffer(struct packet *packet, s++; continue; } - if (s + 2 > end) { - len = 65536; - goto bogus; - } /* - * All other fields (except end, see above) have a - * one-byte length. + * All options other than DHO_PAD and DHO_END have a + * one-byte length field. */ - len = s[1]; + if (s + 2 > end) + len = 0; + else + len = s[1]; /* - * If the length is outrageous, silently skip the rest, - * and mark the packet bad. Unfortunately some crappy - * dhcp servers always seem to give us garbage on the - * end of a packet. so rather than keep refusing, give - * up and try to take one after seeing a few without - * anything good. + * If the option claims to extend beyond the end of the buffer + * then mark the options buffer bad. */ if (s + len + 2 > end) { - bogus: - bad_options++; - warning("option %s (%d) %s.", - dhcp_options[code].name, len, - "larger than buffer"); - if (bad_options == bad_options_max) { - packet->options_valid = 1; - bad_options = 0; - warning("Many bogus options seen in offers. " - "Taking this offer in spite of bogus " - "options - hope for the best!"); - } else { - warning("rejecting bogus offer."); - packet->options_valid = 0; - } + warning("option %s (%d) larger than buffer.", + dhcp_options[code].name, len); + warning("rejecting bogus offer."); + packet->options_valid = 0; return; } /* |