This is the mail archive of the
ecos-discuss@sources.redhat.com
mailing list for the eCos project.
RE: RedBoot: bootp buffer overrun -- patch attached
- To: Grant Edwards <grante at visi dot com>
- Subject: RE: [ECOS] RedBoot: bootp buffer overrun -- patch attached
- From: Gary Thomas <gthomas at cambridge dot redhat dot com>
- Date: Thu, 15 Mar 2001 11:15:56 -0700 (MST)
- Cc: ecos-discuss at sources dot redhat dot com
- Organization: Red Hat, Inc.
On 15-Mar-2001 Grant Edwards wrote:
>
> I ran into a buffer overrun error when a bootp server returned
> a bootp packet bigger than the bootp_header_t struct. A patch
> against current CVS code is attached.
Thanks, I've applied this patch to the sources.
Index: redboot/current/ChangeLog
===================================================================
RCS file: /home/cvs/ecc/ecc/redboot/current/ChangeLog,v
retrieving revision 1.114
diff -u -5 -p -r1.114 ChangeLog
--- redboot/current/ChangeLog 2001/03/15 15:33:44 1.114
+++ redboot/current/ChangeLog 2001/03/15 18:14:46
@@ -1,5 +1,10 @@
+2001-03-15 Gary Thomas <gthomas@redhat.com>
+2001-03-15 Grant Edwards <grante@visi.com>
+
+ * src/net/bootp.c (bootp_handler): Guard against buffer overflow.
+
2001-03-15 Hugo Tyson <hmt@redhat.com>
* src/flash.c (fis_create): The code was installing a default for
img_size from data_length of an extant record. That's zero, so,
so whilst the flash was erased, no data was copied in!
Index: redboot/current/src/net/bootp.c
===================================================================
RCS file: /home/cvs/ecc/ecc/redboot/current/src/net/bootp.c,v
retrieving revision 1.6
diff -u -5 -p -r1.6 bootp.c
--- redboot/current/src/net/bootp.c 2001/02/09 22:00:58 1.6
+++ redboot/current/src/net/bootp.c 2001/03/15 18:14:10
@@ -21,11 +21,11 @@
// The Original Code is eCos - Embedded Configurable Operating System,
// released September 30, 1998.
//
// The Initial Developer of the Original Code is Red Hat.
// Portions created by Red Hat are
-// Copyright (C) 1998, 1999, 2000 Red Hat, Inc.
+// Copyright (C) 1998, 1999, 2000, 2001 Red Hat, Inc.
// All Rights Reserved.
// -------------------------------------------
//
//####COPYRIGHTEND####
//==========================================================================
@@ -61,10 +61,12 @@ bootp_handler(udp_socket_t *skt, char *b
{
bootp_header_t *b;
b = (bootp_header_t *)buf;
if (bp_info) {
+ if (len > sizeof *bp_info)
+ len = sizeof *bp_info;
memcpy(bp_info, b, len);
}
if (b->bp_op == BOOTREPLY &&
!memcmp(b->bp_chaddr, __local_enet_addr, 6)) {