From 7a95d4c3fef110ecdd9c8b2f6c516bc31e6dc883 Mon Sep 17 00:00:00 2001 From: Kenneth R Westerback Date: Fri, 18 Jan 2008 20:14:04 +0000 Subject: Call store_options() with correct cutoff values, i.e. ones not 7 bytes too large. Fixes a problem where a nicely crafted packet could crash dhcpd. Nuke a superfluous declaration of store_options() while here. Problem found and fix tested by Peter Hessler. ok beck@ millert@ henning@ --- usr.sbin/dhcpd/dhcpd.h | 4 +--- usr.sbin/dhcpd/options.c | 6 +++--- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/usr.sbin/dhcpd/dhcpd.h b/usr.sbin/dhcpd/dhcpd.h index 80b2a333f4f..3472ab40f27 100644 --- a/usr.sbin/dhcpd/dhcpd.h +++ b/usr.sbin/dhcpd/dhcpd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: dhcpd.h,v 1.34 2007/10/29 16:51:02 krw Exp $ */ +/* $OpenBSD: dhcpd.h,v 1.35 2008/01/18 20:14:03 krw Exp $ */ /* * Copyright (c) 1995, 1996, 1997, 1998, 1999 @@ -472,8 +472,6 @@ void parse_options(struct packet *); void parse_option_buffer(struct packet *, unsigned char *, int); int cons_options(struct packet *, struct dhcp_packet *, int, struct tree_cache **, int, int, int, u_int8_t *, int); -int store_options(unsigned char *, int, struct tree_cache **, - unsigned char *, int, int, int); char *pretty_print_option(unsigned int, unsigned char *, int, int, int); void do_packet(struct interface_info *, struct dhcp_packet *, int, unsigned int, struct iaddr, struct hardware *); diff --git a/usr.sbin/dhcpd/options.c b/usr.sbin/dhcpd/options.c index d98dfff221a..749b387f6a1 100644 --- a/usr.sbin/dhcpd/options.c +++ b/usr.sbin/dhcpd/options.c @@ -1,4 +1,4 @@ -/* $OpenBSD: options.c,v 1.19 2007/10/29 16:51:02 krw Exp $ */ +/* $OpenBSD: options.c,v 1.20 2008/01/18 20:14:03 krw Exp $ */ /* DHCP options parsing and reassembly. */ @@ -308,8 +308,8 @@ cons_options(struct packet *inpacket, struct dhcp_packet *outpacket, buffer, (main_buffer_size - 7 + ((overload & 1) ? DHCP_FILE_LEN : 0) + ((overload & 2) ? DHCP_SNAME_LEN : 0)), - options, priority_list, main_buffer_size, - (main_buffer_size + ((overload & 1) ? DHCP_FILE_LEN : 0)), + options, priority_list, main_buffer_size - 7, + (main_buffer_size - 7 + ((overload & 1) ? DHCP_FILE_LEN : 0)), terminate); /* Initialize the buffers to be used and put the cookie up front. */ -- cgit v1.2.3