From d0f74f534604e3b6054bbef09365448b76a8d192 Mon Sep 17 00:00:00 2001 From: EunBong Song Date: Fri, 25 Aug 2017 06:50:37 -0600 Subject: [PATCH] dhcpd: Prevent buffer overflow in dhcpd_addoption. offset represents distance from start of option buffer. So this should be changed current option pointer minus start of buffer. --- ChangeLog.txt | 2 +- netutils/dhcpd/dhcpd.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ChangeLog.txt b/ChangeLog.txt index e52589cc8..2d43ba88a 100644 --- a/ChangeLog.txt +++ b/ChangeLog.txt @@ -2053,7 +2053,7 @@ array. This cause buffer overflow for part array. This change fixes this problem. From EunBong Song (2017-05-17). * apps/examples/can: Fix can example app to print data when - CONFIG_EXAMPLE_CAN_READ is defined. From Alan Carvalho de Assis + CONFIG_EXAMPLES_CAN_READ is defined. From Alan Carvalho de Assis (2017-05-17). * apps/: Make more globals static to avoid name clashes. From Juha Niskanen (2017-05-19). diff --git a/netutils/dhcpd/dhcpd.c b/netutils/dhcpd/dhcpd.c index 9df5d1a85..03c2edda7 100644 --- a/netutils/dhcpd/dhcpd.c +++ b/netutils/dhcpd/dhcpd.c @@ -1,7 +1,7 @@ /**************************************************************************** * netutils/dhcpd/dhcpd.c * - * Copyright (C) 2007-2009, 2011-2014 Gregory Nutt. All rights reserved. + * Copyright (C) 2007-2009, 2011-2014, 2017 Gregory Nutt. All rights reserved. * Author: Gregory Nutt * * Redistribution and use in source and binary forms, with or without @@ -705,7 +705,7 @@ static int dhcpd_addoption(uint8_t *option) if (g_state.ds_optend) { - offset = g_state.ds_outpacket.options - g_state.ds_optend; + offset = g_state.ds_optend - g_state.ds_outpacket.options; len = option[DHCPD_OPTION_LENGTH] + 2; /* Check if the option will fit into the options array */