Преглед изворни кода

[dhcp] Copy exactly the required length when resizing DHCP options

When resizing DHCP options, iPXE currently calculates the length to be
copied by subtracting the destination pointer from the end of buffer
pointer.  This works and guarantees not to write beyond the end of the
buffer, but may end up reading beyond the end of the buffer.

Fix by calculating the required length exactly.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
tags/v1.20.1
Michael Brown пре 10 година
родитељ
комит
ced4f8d1d3
1 измењених фајлова са 1 додато и 3 уклоњено
  1. 1
    3
      src/net/dhcpopts.c

+ 1
- 3
src/net/dhcpopts.c Прегледај датотеку

@@ -202,7 +202,6 @@ static int resize_dhcp_option ( struct dhcp_options *options,
202 202
 	size_t new_encapsulator_len;
203 203
 	void *source;
204 204
 	void *dest;
205
-	void *end;
206 205
 	int rc;
207 206
 
208 207
 	/* Check for sufficient space */
@@ -245,8 +244,7 @@ static int resize_dhcp_option ( struct dhcp_options *options,
245 244
 	option = dhcp_option ( options, offset );
246 245
 	source = ( ( ( void * ) option ) + old_len );
247 246
 	dest = ( ( ( void * ) option ) + new_len );
248
-	end = ( options->data + options->alloc_len );
249
-	memmove ( dest, source, ( end - dest ) );
247
+	memmove ( dest, source, ( new_used_len - offset - new_len ) );
250 248
 
251 249
 	/* Shrink options block, if applicable */
252 250
 	if ( new_used_len < options->alloc_len ) {

Loading…
Откажи
Сачувај