diff options
| author | Evan Hunt <each@isc.org> | 2007-10-26 22:46:50 +0000 |
|---|---|---|
| committer | Evan Hunt <each@isc.org> | 2007-10-26 22:46:50 +0000 |
| commit | e2624b82f1121e8729b855fbb40eca082fe72eef (patch) | |
| tree | 6a0eb7a89ca70ac3b486afdf46a2e4ad2a7f7405 /includes | |
| parent | 6b911c8634bd3885dc71cb0beeae7c9b9ffa8024 (diff) | |
| download | isc-dhcp-e2624b82f1121e8729b855fbb40eca082fe72eef.tar.gz | |
- Reworked cons_options() and store_options() to fix a buffer
overflow that could result in a DoS (CVS 2007-0062). Also general
code tidying. [rt17090]
- Also fixed a spurious error message on the client. [rt17250]
Diffstat (limited to 'includes')
| -rw-r--r-- | includes/dhcp.h | 12 | ||||
| -rw-r--r-- | includes/dhcpd.h | 17 |
2 files changed, 18 insertions, 11 deletions
diff --git a/includes/dhcp.h b/includes/dhcp.h index 1ee7b7b9..ee23a29d 100644 --- a/includes/dhcp.h +++ b/includes/dhcp.h @@ -34,17 +34,19 @@ #define DHCP_H #define DHCP_UDP_OVERHEAD (20 + /* IP header */ \ - 8) /* UDP header */ + 8) /* UDP header */ #define DHCP_SNAME_LEN 64 #define DHCP_FILE_LEN 128 #define DHCP_FIXED_NON_UDP 236 #define DHCP_FIXED_LEN (DHCP_FIXED_NON_UDP + DHCP_UDP_OVERHEAD) /* Everything but options. */ +#define BOOTP_MIN_LEN 300 + #define DHCP_MTU_MAX 1500 -#define DHCP_OPTION_LEN (DHCP_MTU_MAX - DHCP_FIXED_LEN) +#define DHCP_MTU_MIN 576 -#define BOOTP_MIN_LEN 300 -#define DHCP_MIN_LEN 548 +#define DHCP_MAX_OPTION_LEN (DHCP_MTU_MAX - DHCP_FIXED_LEN) +#define DHCP_MIN_OPTION_LEN (DHCP_MTU_MIN - DHCP_FIXED_LEN) struct dhcp_packet { u_int8_t op; /* 0: Message opcode/type */ @@ -61,7 +63,7 @@ struct dhcp_packet { unsigned char chaddr [16]; /* 24: Client hardware address */ char sname [DHCP_SNAME_LEN]; /* 40: Server name */ char file [DHCP_FILE_LEN]; /* 104: Boot filename */ - unsigned char options [DHCP_OPTION_LEN]; + unsigned char options [DHCP_MAX_OPTION_LEN]; /* 212: Optional parameters (actual length dependent on MTU). */ }; diff --git a/includes/dhcpd.h b/includes/dhcpd.h index d80b5fc9..7c7ddba9 100644 --- a/includes/dhcpd.h +++ b/includes/dhcpd.h @@ -1399,12 +1399,17 @@ fqdn6_universe_decode(struct option_state *options, struct universe *u); int append_option(struct data_string *dst, struct universe *universe, struct option *option, struct data_string *src); -int store_options PROTO ((int *, unsigned char *, unsigned, struct packet *, - struct lease *, struct client_state *, - struct option_state *, - struct option_state *, struct binding_scope **, - unsigned *, int, unsigned, unsigned, - int, const char *)); +int +store_options(int *ocount, + unsigned char *buffer, unsigned buflen, unsigned index, + struct packet *packet, struct lease *lease, + struct client_state *client_state, + struct option_state *in_options, + struct option_state *cfg_options, + struct binding_scope **scope, + unsigned *priority_list, int priority_len, + unsigned first_cutoff, int second_cutoff, int terminate, + const char *vuname); int store_options6(char *, int, struct option_state *, struct packet *, const int *, struct data_string *); int format_has_text(const char *); |