david/ipxe
david/ipxe
Archived
1
0
Fork 0
Code

[dhcp] Copy exactly the required length when resizing DHCP options

Browse Source 
When resizing DHCP options, iPXE currently calculates the length to be
copied by subtracting the destination pointer from the end of buffer
pointer.  This works and guarantees not to write beyond the end of the
buffer, but may end up reading beyond the end of the buffer.

Fix by calculating the required length exactly.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
This commit is contained in:
Michael Brown 2014-02-26 16:44:05 +00:00
parent ff341c1861
commit ced4f8d1d3
1 changed files with 1 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/net/dhcpopts.c
View File

@ -202,7 +202,6 @@ static int resize_dhcp_option ( struct dhcp_options *options,
size_t new_encapsulator_len; size_t new_encapsulator_len;
void *source; void *source;
void *dest; void *dest;
void *end;
int rc; int rc;
/* Check for sufficient space */ /* Check for sufficient space */
@ -245,8 +244,7 @@ static int resize_dhcp_option ( struct dhcp_options *options,
option = dhcp_option ( options, offset ); option = dhcp_option ( options, offset );
source = ( ( ( void * ) option ) + old_len ); source = ( ( ( void * ) option ) + old_len );
dest = ( ( ( void * ) option ) + new_len ); dest = ( ( ( void * ) option ) + new_len );
end = ( options->data + options->alloc_len ); memmove ( dest, source, ( new_used_len - offset - new_len ) );
memmove ( dest, source, ( end - dest ) );
/* Shrink options block, if applicable */ /* Shrink options block, if applicable */
if ( new_used_len < options->alloc_len ) { if ( new_used_len < options->alloc_len ) {