]> git.decadent.org.uk Git - odhcp6c.git/blobdiff - src/script.c
projects / odhcp6c.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Add missing option length checks in dhcpv6_handle_advert
[odhcp6c.git] / src / script.c
diff --git a/src/script.c b/src/script.c
index 83fbea5a2c37e2b18cfa2966e319b42cff55a17e..357933105d35d56f5718fbad56b30595dbe80557 100644 (file)
--- a/src/script.c
+++ b/src/script.c
@@ -227,7 +227,7 @@ static void search_to_env(const char *name, const uint8_t *start, size_t len)
 
 static void int_to_env(const char *name, int value)
 {
-       size_t len = 12 + strlen(name);
+       size_t len = 13 + strlen(name);
        char *buf = realloc(NULL, len);
        snprintf(buf, len, "%s=%d", name, value);
        putenv(buf);
@@ -282,7 +282,8 @@ static void s46_to_env(enum odhcp6c_state state, const uint8_t *data, size_t len
                        size_t prefix6len = rule->prefix6_len;
                        prefix6len = (prefix6len % 8 == 0) ? prefix6len / 8 : prefix6len / 8 + 1;
 
-                       if (olen < sizeof(struct dhcpv6_s46_rule) + prefix6len)
+                       if (prefix6len > sizeof(in6) ||
+                           olen < sizeof(struct dhcpv6_s46_rule) + prefix6len)
                                continue;
 
                        memcpy(&in6, rule->ipv6_prefix, prefix6len);
@@ -311,7 +312,8 @@ static void s46_to_env(enum odhcp6c_state state, const uint8_t *data, size_t len
                                        size_t prefix6len = dmr->dmr_prefix6_len;
                                        prefix6len = (prefix6len % 8 == 0) ? prefix6len / 8 : prefix6len / 8 + 1;
 
-                                       if (olen < sizeof(struct dhcpv6_s46_dmr) + prefix6len)
+                                       if (prefix6len > sizeof(in6) ||
+                                           olen < sizeof(struct dhcpv6_s46_dmr) + prefix6len)
                                                continue;
 
                                        memcpy(&in6, dmr->dmr_ipv6_prefix, prefix6len);
@@ -330,7 +332,8 @@ static void s46_to_env(enum odhcp6c_state state, const uint8_t *data, size_t len
                        size_t prefix6len = bind->bindprefix6_len;
                        prefix6len = (prefix6len % 8 == 0) ? prefix6len / 8 : prefix6len / 8 + 1;
 
-                       if (olen < sizeof(struct dhcpv6_s46_v4v6bind) + prefix6len)
+                       if (prefix6len > sizeof(in6) ||
+                           olen < sizeof(struct dhcpv6_s46_v4v6bind) + prefix6len)
                                continue;
 
                        memcpy(&in6, bind->bind_ipv6_prefix, prefix6len);
Package: odhcp6c