#include <unistd.h>
#include <syslog.h>
#include <stdbool.h>
+#include <ctype.h>
#include <sys/time.h>
#include <sys/ioctl.h>
#include <sys/socket.h>
if (inf_max_rt >= DHCPV6_INF_MAX_RT_MIN &&
inf_max_rt <= DHCPV6_INF_MAX_RT_MAX)
cand.inf_max_rt = inf_max_rt;
- } else if (otype == DHCPV6_OPT_IA_PD && request_prefix) {
+ } else if (otype == DHCPV6_OPT_IA_PD && request_prefix &&
+ olen >= -4 + sizeof(struct dhcpv6_ia_hdr)) {
struct dhcpv6_ia_hdr *h = (struct dhcpv6_ia_hdr*)&odata[-4];
uint8_t *oend = odata + olen, *d;
dhcpv6_for_each_option(&h[1], oend, otype, olen, d) {
have_pd = p->prefix;
}
}
- } else if (otype == DHCPV6_OPT_IA_NA) {
+ } else if (otype == DHCPV6_OPT_IA_NA &&
+ olen >= -4 + sizeof(struct dhcpv6_ia_hdr)) {
struct dhcpv6_ia_hdr *h = (struct dhcpv6_ia_hdr*)&odata[-4];
uint8_t *oend = odata + olen, *d;
dhcpv6_for_each_option(&h[1], oend, otype, olen, d)
if (elen > 64)
elen = 64;
- if (elen <= 32 || elen <= entry.length) {
+ if (entry.length < 32 || elen <= entry.length) {
ok = false;
continue;
}
static void dhcpv6_log_status_code(const uint16_t code, const char *scope,
- const void *status_msg, const int len)
+ const void *status_msg, int len)
{
- uint8_t buf[len + 3];
+ const char *src = status_msg;
+ char buf[len + 3];
+ char *dst = buf;
- memset(buf, 0, sizeof(buf));
if (len) {
- buf[0] = '(';
- memcpy(&buf[1], status_msg, len);
- buf[len + 1] = ')';
+ *dst++ = '(';
+ while (len--) {
+ *dst = isprint((unsigned char)*src) ? *src : '?';
+ src++;
+ dst++;
+ }
+ *dst++ = ')';
}
+ *dst = 0;
syslog(LOG_WARNING, "Server returned %s status %i %s",
scope, code, buf);
}
}
+// Note this always takes ownership of cand->ia_na and cand->ia_pd
static void dhcpv6_add_server_cand(const struct dhcpv6_server_cand *cand)
{
size_t cand_len, i;
break;
}
- odhcp6c_insert_state(STATE_SERVER_CAND, i * sizeof(*c), cand, sizeof(*cand));
+ if (odhcp6c_insert_state(STATE_SERVER_CAND, i * sizeof(*c), cand, sizeof(*cand))) {
+ free(cand->ia_na);
+ free(cand->ia_pd);
+ }
}
static void dhcpv6_clear_all_server_cand(void)
char *buf = realloc(NULL, len + buf_len + 2);
memcpy(buf, name, buf_len);
buf[buf_len++] = '=';
- int l = 1;
- while (l > 0 && fqdn < fqdn_end) {
- l = dn_expand(fqdn, fqdn_end, fqdn, &buf[buf_len], buf_size - buf_len);
+ while (fqdn < fqdn_end) {
+ int l = dn_expand(fqdn, fqdn_end, fqdn, &buf[buf_len], buf_size - buf_len);
+ if (l <= 0)
+ break;
fqdn += l;
buf_len += strlen(&buf[buf_len]);
buf[buf_len++] = ' ';
{
size_t buf_len = strlen(name);
const struct odhcp6c_entry *e = data;
- char *buf = realloc(NULL, buf_len + 2 + (len / sizeof(*e)) * 144);
+ // Worst case: ENTRY_PREFIX with iaid != 1 and exclusion
+ const size_t max_entry_len = (INET6_ADDRSTRLEN-1 + 5 + 22 + 15 + 10 +
+ INET6_ADDRSTRLEN-1 + 11 + 1);
+ char *buf = realloc(NULL, buf_len + 2 + (len / sizeof(*e)) * max_entry_len);
memcpy(buf, name, buf_len);
buf[buf_len++] = '=';
inet_ntop(AF_INET6, &e[i].target, &buf[buf_len], INET6_ADDRSTRLEN);
buf_len += strlen(&buf[buf_len]);
if (type != ENTRY_HOST) {
- buf_len += snprintf(&buf[buf_len], 6, "/%"PRIu16, e[i].length);
+ snprintf(&buf[buf_len], 6, "/%"PRIu16, e[i].length);
+ buf += strlen(&buf[buf_len]);
if (type == ENTRY_ROUTE) {
buf[buf_len++] = ',';
if (!IN6_IS_ADDR_UNSPECIFIED(&e[i].router)) {
inet_ntop(AF_INET6, &e[i].router, &buf[buf_len], INET6_ADDRSTRLEN);
buf_len += strlen(&buf[buf_len]);
}
- buf_len += snprintf(&buf[buf_len], 24, ",%u", e[i].valid);
- buf_len += snprintf(&buf[buf_len], 12, ",%u", e[i].priority);
+ snprintf(&buf[buf_len], 23, ",%u,%u", e[i].valid, e[i].priority);
+ buf += strlen(&buf[buf_len]);
} else {
- buf_len += snprintf(&buf[buf_len], 24, ",%u,%u", e[i].preferred, e[i].valid);
+ snprintf(&buf[buf_len], 23, ",%u,%u", e[i].preferred, e[i].valid);
+ buf += strlen(&buf[buf_len]);
}
- if (type == ENTRY_PREFIX && ntohl(e[i].iaid) != 1)
- buf_len += snprintf(&buf[buf_len], 16, ",class=%08x", ntohl(e[i].iaid));
+ if (type == ENTRY_PREFIX && ntohl(e[i].iaid) != 1) {
+ snprintf(&buf[buf_len], 16, ",class=%08x", ntohl(e[i].iaid));
+ buf += strlen(&buf[buf_len]);
+ }
if (type == ENTRY_PREFIX && e[i].priority) {
// priority and router are abused for prefix exclusion
- buf_len += snprintf(&buf[buf_len], 12, ",excluded=");
+ snprintf(&buf[buf_len], 11, ",excluded=");
+ buf_len += strlen(&buf[buf_len]);
inet_ntop(AF_INET6, &e[i].router, &buf[buf_len], INET6_ADDRSTRLEN);
buf_len += strlen(&buf[buf_len]);
- buf_len += snprintf(&buf[buf_len], 24, "/%u", e[i].priority);
+ snprintf(&buf[buf_len], 12, "/%u", e[i].priority);
+ buf_len += strlen(&buf[buf_len]);
}
}
buf[buf_len++] = ' ';
static void int_to_env(const char *name, int value)
{
- size_t len = 12 + strlen(name);
+ size_t len = 13 + strlen(name);
char *buf = realloc(NULL, len);
snprintf(buf, len, "%s=%d", name, value);
putenv(buf);
size_t prefix6len = rule->prefix6_len;
prefix6len = (prefix6len % 8 == 0) ? prefix6len / 8 : prefix6len / 8 + 1;
- if (olen < sizeof(struct dhcpv6_s46_rule) + prefix6len)
+ if (prefix6len > sizeof(in6) ||
+ olen < sizeof(struct dhcpv6_s46_rule) + prefix6len)
continue;
memcpy(&in6, rule->ipv6_prefix, prefix6len);
size_t prefix6len = dmr->dmr_prefix6_len;
prefix6len = (prefix6len % 8 == 0) ? prefix6len / 8 : prefix6len / 8 + 1;
- if (olen < sizeof(struct dhcpv6_s46_dmr) + prefix6len)
+ if (prefix6len > sizeof(in6) ||
+ olen < sizeof(struct dhcpv6_s46_dmr) + prefix6len)
continue;
memcpy(&in6, dmr->dmr_ipv6_prefix, prefix6len);
size_t prefix6len = bind->bindprefix6_len;
prefix6len = (prefix6len % 8 == 0) ? prefix6len / 8 : prefix6len / 8 + 1;
- if (olen < sizeof(struct dhcpv6_s46_v4v6bind) + prefix6len)
+ if (prefix6len > sizeof(in6) ||
+ olen < sizeof(struct dhcpv6_s46_v4v6bind) + prefix6len)
continue;
memcpy(&in6, bind->bind_ipv6_prefix, prefix6len);
projects / odhcp6c.git / commitdiff