ref: ff44b92c9641ffae799a5e12f88eb42294f24f2f
parent: 9314883aff7950820a26782d863a78d18be93635
author: cinap_lenrek <cinap_lenrek@felloff.net>
date: Tue Oct 22 02:53:50 EDT 2019
ip/dhcpd: prevent client from increasing max reply size beyond the reply buffer capacity
--- a/sys/src/cmd/ip/dhcpd/dhcpd.c
+++ b/sys/src/cmd/ip/dhcpd/dhcpd.c
@@ -1078,17 +1078,22 @@
v4tov6(rp->server, o);
break;
case ODmessage:
- if(n > sizeof rp->msg-1)
- n = sizeof rp->msg-1;
+ if(n > sizeof(rp->msg)-1)
+ n = sizeof(rp->msg)-1;
memmove(rp->msg, o, n);
rp->msg[n] = 0;
break;
case ODmaxmsg:
+ if(n < 2)
+ break;
c = nhgets(o);
- c -= 28;
+ c -= IPUDPHDRSIZE;
+ if(c <= 0)
+ break;
c += Udphdrsize;
- if(c > 0)
- rp->max = rp->buf + c;
+ if(c > sizeof(rp->buf))
+ c = sizeof(rp->buf);
+ rp->max = rp->buf + c;
break;
case ODclientid:
if(n <= 1)