[klibc] ipconfig: A bit more robust bootp/dhcp option parsing
Be a bit more strict about our BOOTP/DHCP option parsing to avoid
segmentation faults.
Signed-off-by: KUMAAN <9maaan@gmail.com>
Acked-by: H. Peter Anvin <hpa@linux.intel.com>
Signed-off-by: maximilian attems <max@stro.at>
diff --git a/usr/kinit/ipconfig/bootp_proto.c b/usr/kinit/ipconfig/bootp_proto.c
index f2cc90c..e3d50e3 100644
--- a/usr/kinit/ipconfig/bootp_proto.c
+++ b/usr/kinit/ipconfig/bootp_proto.c
@@ -87,8 +87,12 @@
else if (opt == 255)
break;
+ if (ext - exts >= extlen)
+ break;
len = *ext++;
+ if (ext - exts + len > extlen)
+ break;
switch (opt) {
case 1: /* subnet mask */
if (len == 4)
diff --git a/usr/kinit/ipconfig/dhcp_proto.c b/usr/kinit/ipconfig/dhcp_proto.c
index a461c6d..8ca2614 100644
--- a/usr/kinit/ipconfig/dhcp_proto.c
+++ b/usr/kinit/ipconfig/dhcp_proto.c
@@ -92,20 +92,35 @@
uint8_t *ext;
for (ext = exts + 4; ext - exts < extlen;) {
- uint8_t len, *opt = ext++;
- if (*opt == 0)
- continue;
+ int len;
+ uint8_t opt = *ext++;
+ if (opt == 0)
+ continue;
+ else if (opt == 255)
+ break;
+
+ if (ext - exts >= extlen)
+ break;
len = *ext++;
+ if (ext - exts + len > extlen)
+ break;
+ switch (opt) {
+ case 51: /* IP Address Lease Time */
+ if (len == 4)
+ leasetime = ntohl(*(uint32_t *)ext);
+ break;
+ case 53: /* DHCP Message Type */
+ if (len == 1)
+ type = *ext;
+ break;
+ case 54: /* Server Identifier */
+ if (len == 4)
+ memcpy(&serverid, ext, 4);
+ break;
+ }
ext += len;
-
- if (*opt == 51 && len == 4)
- leasetime = ntohl(*(uint32_t *)(opt + 2));
- if (*opt == 53)
- type = opt[2];
- if (*opt == 54)
- memcpy(&serverid, opt + 2, 4);
}
}
