mirror/lwip
1
0
Fork 0
mirror of https://github.com/lwip-tcpip/lwip.git synced 2024-12-26 03:16:18 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix usage of uninitialized data in dhcp.c by checking pbuf_copy_partial() return value

Browse Source
This commit is contained in:
Dirk Ziegelmeier 2016-08-30 21:33:43 +02:00
parent f5135b05d9
commit 8d45162a59
1 changed files with 7 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/core/ipv4/dhcp.c
View File

@ -1493,7 +1493,7 @@ again:
int decode_idx = -1; int decode_idx = -1;
u16_t val_offset = offset + 2; u16_t val_offset = offset + 2;
/* len byte might be in the next pbuf */ /* len byte might be in the next pbuf */
if (offset + 1 < q->len) { if ((offset + 1) < q->len) {
len = options[offset + 1]; len = options[offset + 1];
} else { } else {
len = (q->next != NULL ? ((u8_t*)q->next->payload)[0] : 0); len = (q->next != NULL ? ((u8_t*)q->next->payload)[0] : 0);
@ -1572,7 +1572,9 @@ decode_next:
LWIP_ASSERT("check decode_idx", decode_idx >= 0 && decode_idx < DHCP_OPTION_IDX_MAX); LWIP_ASSERT("check decode_idx", decode_idx >= 0 && decode_idx < DHCP_OPTION_IDX_MAX);
if (!dhcp_option_given(dhcp, decode_idx)) { if (!dhcp_option_given(dhcp, decode_idx)) {
copy_len = LWIP_MIN(decode_len, 4); copy_len = LWIP_MIN(decode_len, 4);
pbuf_copy_partial(q, &value, copy_len, val_offset); if (pbuf_copy_partial(q, &value, copy_len, val_offset) != copy_len) {
return ERR_BUF;
}
if (decode_len > 4) { if (decode_len > 4) {
/* decode more than one u32_t */ /* decode more than one u32_t */
LWIP_ERROR("decode_len % 4 == 0", decode_len % 4 == 0, return ERR_VAL;); LWIP_ERROR("decode_len % 4 == 0", decode_len % 4 == 0, return ERR_VAL;);
@ -1628,7 +1630,9 @@ decode_next:
if (dhcp_option_given(dhcp, DHCP_OPTION_IDX_MSG_TYPE) && if (dhcp_option_given(dhcp, DHCP_OPTION_IDX_MSG_TYPE) &&
(dhcp_get_option_value(dhcp, DHCP_OPTION_IDX_MSG_TYPE) == DHCP_ACK)) (dhcp_get_option_value(dhcp, DHCP_OPTION_IDX_MSG_TYPE) == DHCP_ACK))
/* copy bootp file name, don't care for sname (server hostname) */ /* copy bootp file name, don't care for sname (server hostname) */
pbuf_copy_partial(p, dhcp->boot_file_name, DHCP_FILE_LEN-1, DHCP_FILE_OFS); if (pbuf_copy_partial(p, dhcp->boot_file_name, DHCP_FILE_LEN-1, DHCP_FILE_OFS) != (DHCP_FILE_LEN-1)) {
return ERR_BUF;
}
/* make sure the string is really NULL-terminated */ /* make sure the string is really NULL-terminated */
dhcp->boot_file_name[DHCP_FILE_LEN-1] = 0; dhcp->boot_file_name[DHCP_FILE_LEN-1] = 0;
} }