dhcpd: Prevent buffer overflow in dhcpd_addoption. offset represents distance from start of option buffer. So this should be changed current option pointer minus start of buffer.

2017-08-25 06:50:37 -06:00 · 2017-08-25 06:50:37 -06:00 · d0f74f5346
commit d0f74f5346
parent 7fa2bd1a23
2 changed files with 3 additions and 3 deletions
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@ -2053,7 +2053,7 @@
 	  array. This cause buffer overflow for part array.  This change fixes
 	  this problem.  From  EunBong Song (2017-05-17).
 	* apps/examples/can:  Fix can example app to print data when
-	  CONFIG_EXAMPLE_CAN_READ is defined.  From Alan Carvalho de Assis
+	  CONFIG_EXAMPLES_CAN_READ is defined.  From Alan Carvalho de Assis
 	  (2017-05-17).
 	* apps/: Make more globals static to avoid name clashes.  From Juha
 	  Niskanen (2017-05-19).
--- a/netutils/dhcpd/dhcpd.c
+++ b/netutils/dhcpd/dhcpd.c
@ -1,7 +1,7 @@
 /****************************************************************************
 * netutils/dhcpd/dhcpd.c
 *
- *   Copyright (C) 2007-2009, 2011-2014 Gregory Nutt. All rights reserved.
+ *   Copyright (C) 2007-2009, 2011-2014, 2017 Gregory Nutt. All rights reserved.
 *   Author: Gregory Nutt <gnutt@nuttx.org>
 *
 * Redistribution and use in source and binary forms, with or without
@ -705,7 +705,7 @@ static int dhcpd_addoption(uint8_t *option)

  if (g_state.ds_optend)
    {
-      offset = g_state.ds_outpacket.options - g_state.ds_optend;
+      offset = g_state.ds_optend - g_state.ds_outpacket.options;
      len    = option[DHCPD_OPTION_LENGTH] + 2;

      /* Check if the option will fit into the options array */