philipp / rpms / dhcp

Forked from rpms/dhcp 4 years ago
Clone

Blame SOURCES/dhcp-4.2.5-options_overflow.patch

2a7b11
diff --git a/common/options.c b/common/options.c
2a7b11
index 83e0384..8a1deca 100644
2a7b11
--- a/common/options.c
2a7b11
+++ b/common/options.c
2a7b11
@@ -1672,7 +1672,8 @@ format_min_length(format, oc)
2a7b11
 
2a7b11
 
2a7b11
 /* Format the specified option so that a human can easily read it. */
2a7b11
-
2a7b11
+/* Maximum pretty printed size */
2a7b11
+#define MAX_OUTPUT_SIZE 32*1024
2a7b11
 const char *pretty_print_option (option, data, len, emit_commas, emit_quotes)
2a7b11
 	struct option *option;
2a7b11
 	const unsigned char *data;
2a7b11
@@ -1680,8 +1681,9 @@ const char *pretty_print_option (option, data, len, emit_commas, emit_quotes)
2a7b11
 	int emit_commas;
2a7b11
 	int emit_quotes;
2a7b11
 {
2a7b11
-	static char optbuf [32768]; /* XXX */
2a7b11
-	static char *endbuf = &optbuf[sizeof(optbuf)];
2a7b11
+	/* We add 128 byte pad so we don't have to add checks everywhere. */
2a7b11
+	static char optbuf [MAX_OUTPUT_SIZE + 128]; /* XXX */
2a7b11
+	static char *endbuf = optbuf + MAX_OUTPUT_SIZE;
2a7b11
 	int hunksize = 0;
2a7b11
 	int opthunk = 0;
2a7b11
 	int hunkinc = 0;
2a7b11
@@ -2132,7 +2134,14 @@ const char *pretty_print_option (option, data, len, emit_commas, emit_quotes)
2a7b11
 				log_error ("Unexpected format code %c",
2a7b11
 					   fmtbuf [j]);
2a7b11
 			}
2a7b11
+
2a7b11
 			op += strlen (op);
2a7b11
+			if (op >= endbuf) {
2a7b11
+				log_error ("Option data exceeds"
2a7b11
+					   " maximum size %d", MAX_OUTPUT_SIZE);
2a7b11
+					   return ("<error>");
2a7b11
+			}
2a7b11
+
2a7b11
 			if (dp == data + len)
2a7b11
 				break;
2a7b11
 			if (j + 1 < numelem && comma != ':')