diff options
| author | Michael Brown <mcb30@ipxe.org> | 2014-02-26 16:44:05 +0000 |
|---|---|---|
| committer | Michael Brown <mcb30@ipxe.org> | 2014-02-26 16:44:05 +0000 |
| commit | ced4f8d1d36f920ba3e316297f1b3ab841d37b6a (patch) | |
| tree | 12134bd110042ee1745006628d86e6da9695ceb0 /src/net | |
| parent | ff341c1861729b1521bb64c0290febe2064ae205 (diff) | |
| download | ipxe-ced4f8d1d36f920ba3e316297f1b3ab841d37b6a.zip ipxe-ced4f8d1d36f920ba3e316297f1b3ab841d37b6a.tar.gz ipxe-ced4f8d1d36f920ba3e316297f1b3ab841d37b6a.tar.bz2 | |
[dhcp] Copy exactly the required length when resizing DHCP options
When resizing DHCP options, iPXE currently calculates the length to be
copied by subtracting the destination pointer from the end of buffer
pointer. This works and guarantees not to write beyond the end of the
buffer, but may end up reading beyond the end of the buffer.
Fix by calculating the required length exactly.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Diffstat (limited to 'src/net')
| -rw-r--r-- | src/net/dhcpopts.c | 4 |
1 files changed, 1 insertions, 3 deletions
diff --git a/src/net/dhcpopts.c b/src/net/dhcpopts.c index 6d29a7b..8cd19cf 100644 --- a/src/net/dhcpopts.c +++ b/src/net/dhcpopts.c @@ -202,7 +202,6 @@ static int resize_dhcp_option ( struct dhcp_options *options, size_t new_encapsulator_len; void *source; void *dest; - void *end; int rc; /* Check for sufficient space */ @@ -245,8 +244,7 @@ static int resize_dhcp_option ( struct dhcp_options *options, option = dhcp_option ( options, offset ); source = ( ( ( void * ) option ) + old_len ); dest = ( ( ( void * ) option ) + new_len ); - end = ( options->data + options->alloc_len ); - memmove ( dest, source, ( end - dest ) ); + memmove ( dest, source, ( new_used_len - offset - new_len ) ); /* Shrink options block, if applicable */ if ( new_used_len < options->alloc_len ) { |