소스 검색

[dhcp] Copy exactly the required length when resizing DHCP options

When resizing DHCP options, iPXE currently calculates the length to be
copied by subtracting the destination pointer from the end of buffer
pointer.  This works and guarantees not to write beyond the end of the
buffer, but may end up reading beyond the end of the buffer.

Fix by calculating the required length exactly.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
tags/v1.20.1
Michael Brown 10 년 전
부모
커밋
ced4f8d1d3
1개의 변경된 파일1개의 추가작업 그리고 3개의 파일을 삭제
  1. 1
    3
      src/net/dhcpopts.c

+ 1
- 3
src/net/dhcpopts.c 파일 보기

@@ -202,7 +202,6 @@ static int resize_dhcp_option ( struct dhcp_options *options,
202 202
 	size_t new_encapsulator_len;
203 203
 	void *source;
204 204
 	void *dest;
205
-	void *end;
206 205
 	int rc;
207 206
 
208 207
 	/* Check for sufficient space */
@@ -245,8 +244,7 @@ static int resize_dhcp_option ( struct dhcp_options *options,
245 244
 	option = dhcp_option ( options, offset );
246 245
 	source = ( ( ( void * ) option ) + old_len );
247 246
 	dest = ( ( ( void * ) option ) + new_len );
248
-	end = ( options->data + options->alloc_len );
249
-	memmove ( dest, source, ( end - dest ) );
247
+	memmove ( dest, source, ( new_used_len - offset - new_len ) );
250 248
 
251 249
 	/* Shrink options block, if applicable */
252 250
 	if ( new_used_len < options->alloc_len ) {

Loading…
취소
저장