Re: [PATCH] libnetworking/rtems_dhcp.c: Fix improper hostname handling in DHCP request

Wed, 06 Jan 2016 22:38:24 -0800 


On 07/01/16 02:38, Aun-Ali Zaidi wrote:

From: Tim Cussins <timcuss...@eml.cc>

DHCP requests add the hostname option in dhcp_request_req() - this is cool, 
except that the dhcp
spec requires that this option has a length >= 1 char.

Excerpt taken from RFC 2132:

    3.14. Host Name Option

    This option specifies the name of the client.  The name may or may
    not be qualified with the local domain name (see section 3.17 for the
    preferred way to retrieve the domain name).  See RFC 1035 for
    character set restrictions.

    The code for this option is 12, and its minimum length is 1.

     Code   Len                 Host Name
    +-----+-----+-----+-----+-----+-----+-----+-----+--
    |  12 |  n  |  h1 |  h2 |  h3 |  h4 |  h5 |  h6 |  ...
    +-----+-----+-----+-----+-----+-----+-----+-----+--

At present, the hostname is added regardless. This appears to trigger a bug in 
a specific Netgear
router that causes it's dhcp process to lock up.

closes #1405.
---
  cpukit/libnetworking/rtems/rtems_dhcp.c | 16 ++++++++++++----
  1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/cpukit/libnetworking/rtems/rtems_dhcp.c 
b/cpukit/libnetworking/rtems/rtems_dhcp.c
index cb6966d..c0c95f5 100644
--- a/cpukit/libnetworking/rtems/rtems_dhcp.c
+++ b/cpukit/libnetworking/rtems/rtems_dhcp.c
@@ -681,10 +681,18 @@ dhcp_request_req (struct dhcp_packet* call,
    {
      if (gethostname (hostname, MAXHOSTNAMELEN) == 0)
      {
-      call->vend[len++] = DHCP_HOST;
-      call->vend[len++] = strlen (hostname);
-      strcpy ((char*) &call->vend[len], hostname);
-      len += strlen (hostname);
+      /* RFC 2132 Section 3.14 dictates min length for this option is 1 char.
+         If hostname is zero-length, then let's just not add it */
+
+      size_t hostnamelen = strlen (hostname);
+
+      if (hostnamelen > 0 && hostnamelen < MAXHOSTNAMELEN)
+      {
+        call->vend[len++] = DHCP_HOST;
+       call->vend[len++] = (uint8_t) hostnamelen;



What guarantees that this reduction of hostnamelen to 8-bits is well 
defined?



+       memcpy (&call->vend[len], hostname, hostnamelen);
+       len += (int) hostnamelen;



What guarantees that you have enough space for this memcpy() in the 
destination buffer?



+      }
      }
      free (hostname, 0);
    }


--
Sebastian Huber, embedded brains GmbH

Address : Dornierstr. 4, D-82178 Puchheim, Germany
Phone   : +49 89 189 47 41-16
Fax     : +49 89 189 47 41-09
E-Mail  : sebastian.hu...@embedded-brains.de
PGP     : Public key available on request.

Diese Nachricht ist keine geschäftliche Mitteilung im Sinne des EHUG.

_______________________________________________
devel mailing list
devel@rtems.org
http://lists.rtems.org/mailman/listinfo/devel






















					Reply via email to