[klibc] Bug in function bootp_parse in file bootp_proto.c
Άλκης
Άλκης
Thu Oct 9 09:37:09 PDT 2008
While implementing the "command line argument for ipconfig to require a
dhcp option" patch, I found a bug in function
int bootp_parse(), file bootp_proto.c
Part of the code:
case 15: /* domain name */
if (len > sizeof(dev->dnsdomainname) - 1)
len = sizeof(dev->dnsdomainname) - 1;
memcpy(&dev->dnsdomainname, ext, len);
dev->dnsdomainname[len] = '\0';
break;
...
}
ext += len;
By modifying len inside the switch() statement,
len = sizeof(dev->dnsdomainname) - 1;
ext += len doesn't "go" to the start of the next dhcp option, but it
ends up inside the current option.
If this ever happens the reading sequence is lost, and all the rest
packet options are not read correctly.
I propose to fix it by introducing a
void *memcpy_null_terminate(dest, src, dest_len, src_len);
function. It will alter the code a little more, but it's trivial (so no
regressions) and it'll get the overall code smaller.
Kind regards,
Alkis Georgopoulos
More information about the klibc
mailing list