Page MenuHomeFreeBSD
Files F155105589

D56740.id176887.diff
No OneTemporary
Actions

D56740.id176887.diff
View Options

diff --git a/sbin/dhclient/dhclient.c b/sbin/dhclient/dhclient.c
--- a/sbin/dhclient/dhclient.c
+++ b/sbin/dhclient/dhclient.c
@@ -1161,7 +1161,7 @@
lease = malloc(sizeof(struct client_lease));
if (!lease) {
- warning("dhcpoffer: no memory to record lease.");
+ warning("dhcpoffer: no memory to record lease");
return (NULL);
}
@@ -1211,7 +1211,7 @@
/* If the server name was filled out, copy it.
Do not attempt to validate the server name as a host name.
- RFC 2131 merely states that sname is NUL-terminated (which do
+ RFC 2131 merely states that sname is NUL-terminated (which we
do not assume) and that it is the server's host name. Since
the ISC client and server allow arbitrary characters, we do
as well. */
@@ -1219,18 +1219,30 @@
!(packet->options[DHO_DHCP_OPTION_OVERLOAD].data[0] & 2)) &&
packet->raw->sname[0]) {
lease->server_name = malloc(DHCP_SNAME_LEN + 1);
- if (!lease->server_name) {
- warning("dhcpoffer: no memory for server name.");
+ if (lease->server_name != NULL) {
+ warning("dhcpoffer: no memory for server name");
free_client_lease(lease);
return (NULL);
}
- memcpy(lease->server_name, packet->raw->sname, DHCP_SNAME_LEN);
- lease->server_name[DHCP_SNAME_LEN]='\0';
- if (strchr(lease->server_name, '"') != NULL ||
- strchr(lease->server_name, '\\') != NULL) {
- warning("dhcpoffer: server name contains invalid characters.");
- free_client_lease(lease);
- return (NULL);
+ for (i = 0; i < DHCP_SNAME_LEN; i++) {
+ if (packet->raw->sname[i] == '\0') {
+ break;
+ }
+ if (packet->raw->sname[i] < ' ' ||
+ packet->raw->sname[i] == '"' ||
+ packet->raw->sname[i] == '\\') {
+ warning("dhcpoffer: server name contains "
+ "unsafe characters");
+ free(lease->server_name);
+ lease->server_name = NULL;
+ break;
+ }
+ lease->server_name[i] = packet->raw->sname[i];
+ }
+ if (lease->server_name != NULL) {
+ while (i < DHCP_SNAME_LEN + 1) {
+ lease->server_name[i++] = '\0';
+ }
}
}
@@ -1240,18 +1252,30 @@
packet->raw->file[0]) {
/* Don't count on the NUL terminator. */
lease->filename = malloc(DHCP_FILE_LEN + 1);
- if (!lease->filename) {
- warning("dhcpoffer: no memory for filename.");
+ if (lease->filename == NULL) {
+ warning("dhcpoffer: no memory for filename");
free_client_lease(lease);
return (NULL);
}
- memcpy(lease->filename, packet->raw->file, DHCP_FILE_LEN);
- lease->filename[DHCP_FILE_LEN]='\0';
- if (strchr(lease->filename, '"') != NULL ||
- strchr(lease->filename, '\\') != NULL) {
- warning("dhcpoffer: filename contains invalid characters.");
- free_client_lease(lease);
- return (NULL);
+ for (i = 0; i < DHCP_FILE_LEN; i++) {
+ if (packet->raw->file[i] == '\0') {
+ break;
+ }
+ if (packet->raw->file[i] < ' ' ||
+ packet->raw->file[i] == '"' ||
+ packet->raw->file[i] == '\\') {
+ warning("dhcpoffer: file name contains "
+ "unsafe characters");
+ free(lease->filename);
+ lease->filename = NULL;
+ break;
+ }
+ lease->filename[i] = packet->raw->file[i];
+ }
+ if (lease->filename != NULL) {
+ while (i < DHCP_FILE_LEN + 1) {
+ lease->filename[i++] = '\0';
+ }
}
}
return lease;

File Metadata

Mime Type
text/plain
Expires
Sat, May 2, 10:55 AM (12 h, 52 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
32572678
Default Alt Text
D56740.id176887.diff (3 KB)

Event Timeline