Fix an off by one error when we limit append/prepend text sizes based on our

internal buffer sizes. When we 'append', assume we're appending to text. Some MS dhcp servers will give us a string with the length including the trailing NUL. when we 'append domain-name', we get something like "search x.y\000 z" in resolv.conf :( MFC after: 1 week Security: A buffer overflow (by one NUL byte) was possible.
svn path=/head/; revision=193765
2024-11-28 13:22:48 +00:00 · 2009-06-08 21:42:30 +00:00 · 2009-06-08 21:42:30 +00:00 · 043bcc8d44 · 2020-12-20 02:59:44 +00:00
commit 043bcc8d44
parent 27bfb741a0
1 changed files with 15 additions and 5 deletions
--- a/sbin/dhclient/dhclient.c
+++ b/sbin/dhclient/dhclient.c
@ -1977,7 +1977,7 @@ supersede:
 					len = ip->client->
 					    config->defaults[i].len +
 					    lease->options[i].len;
-					if (len > sizeof(dbuf)) {
+					if (len >= sizeof(dbuf)) {
 						warning("no space to %s %s",
 						    "prepend option",
 						    dhcp_options[i].name);
@ -1996,24 +1996,34 @@ supersede:
 					dp[len] = '\0';
 					break;
 				case ACTION_APPEND:
+					/*
+					 * When we append, we assume that we're
+					 * appending to text.  Some MS servers
+					 * include a NUL byte at the end of
+					 * the search string provided.
+					 */
 					len = ip->client->
 					    config->defaults[i].len +
 					    lease->options[i].len;
-					if (len > sizeof(dbuf)) {
+					if (len >= sizeof(dbuf)) {
 						warning("no space to %s %s",
 						    "append option",
 						    dhcp_options[i].name);
 						goto supersede;
 					}
-					dp = dbuf;
-					memcpy(dp,
+					memcpy(dbuf,
 						lease->options[i].data,
 						lease->options[i].len);
-					memcpy(dp + lease->options[i].len,
+					for (dp = dbuf + lease->options[i].len;
+					    dp > dbuf; dp--, len--)
+						if (dp[-1] != '\0')
+							break;
+					memcpy(dp,
 						ip->client->
 						config->defaults[i].data,
 						ip->client->
 						config->defaults[i].len);
+					dp = dbuf;
 					dp[len] = '\0';
 				}
 			} else {