robin.thoni
/
ipxe
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 11 Wiki Activity
Browse Source

[dhcp] Copy exactly the required length when resizing DHCP options 

When resizing DHCP options, iPXE currently calculates the length to be
copied by subtracting the destination pointer from the end of buffer
pointer.  This works and guarantees not to write beyond the end of the
buffer, but may end up reading beyond the end of the buffer.

Fix by calculating the required length exactly.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
tags/v1.20.1
Michael Brown 10 years ago
parent
ff341c1861
commit
ced4f8d1d3
1 changed files with 1 additions and 3 deletions
Unified View Show Diff Stats
  1. 1
    3
      src/net/dhcpopts.c

+ 1
- 3
src/net/dhcpopts.c View File

202 
 	size_t new_encapsulator_len;
 202 
 	size_t new_encapsulator_len;
203 
 	void *source;
 203 
 	void *source;
204 
 	void *dest;
 204 
 	void *dest;
205 
-	void *end;
206 
 	int rc;
 205 
 	int rc;
207
206
208 
 	/* Check for sufficient space */
 207 
 	/* Check for sufficient space */
245 
 	option = dhcp_option ( options, offset );
 244 
 	option = dhcp_option ( options, offset );
246 
 	source = ( ( ( void * ) option ) + old_len );
 245 
 	source = ( ( ( void * ) option ) + old_len );
247 
 	dest = ( ( ( void * ) option ) + new_len );
 246 
 	dest = ( ( ( void * ) option ) + new_len );
248 
-	end = ( options->data + options->alloc_len );
249 
-	memmove ( dest, source, ( end - dest ) );
247 
+	memmove ( dest, source, ( new_used_len - offset - new_len ) );
250
248
251 
 	/* Shrink options block, if applicable */
 249 
 	/* Shrink options block, if applicable */
252 
 	if ( new_used_len < options->alloc_len ) {
 250 
 	if ( new_used_len < options->alloc_len ) {

Write Preview
Loading…
Cancel
Save