This is the mail archive of the ecos-discuss@sources.redhat.com mailing list for the eCos project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]

RE: RedBoot: bootp buffer overrun -- patch attached



On 15-Mar-2001 Grant Edwards wrote:
> 
> I ran into a buffer overrun error when a bootp server returned
> a bootp packet bigger than the bootp_header_t struct. A patch
> against current CVS code is attached.

Thanks, I've applied this patch to the sources.

Index: redboot/current/ChangeLog
===================================================================
RCS file: /home/cvs/ecc/ecc/redboot/current/ChangeLog,v
retrieving revision 1.114
diff -u -5 -p -r1.114 ChangeLog
--- redboot/current/ChangeLog   2001/03/15 15:33:44     1.114
+++ redboot/current/ChangeLog   2001/03/15 18:14:46
@@ -1,5 +1,10 @@
+2001-03-15  Gary Thomas  <gthomas@redhat.com>
+2001-03-15  Grant Edwards <grante@visi.com>
+
+       * src/net/bootp.c (bootp_handler): Guard against buffer overflow.
+
 2001-03-15  Hugo Tyson  <hmt@redhat.com>
 
        * src/flash.c (fis_create): The code was installing a default for
        img_size from data_length of an extant record.  That's zero, so,
        so whilst the flash was erased, no data was copied in!
Index: redboot/current/src/net/bootp.c
===================================================================
RCS file: /home/cvs/ecc/ecc/redboot/current/src/net/bootp.c,v
retrieving revision 1.6
diff -u -5 -p -r1.6 bootp.c
--- redboot/current/src/net/bootp.c     2001/02/09 22:00:58     1.6
+++ redboot/current/src/net/bootp.c     2001/03/15 18:14:10
@@ -21,11 +21,11 @@
 // The Original Code is eCos - Embedded Configurable Operating System,      
 // released September 30, 1998.                                             
 //                                                                          
 // The Initial Developer of the Original Code is Red Hat.                   
 // Portions created by Red Hat are                                          
-// Copyright (C) 1998, 1999, 2000 Red Hat, Inc.                             
+// Copyright (C) 1998, 1999, 2000, 2001 Red Hat, Inc.                             
 // All Rights Reserved.                                                     
 // -------------------------------------------                              
 //                                                                          
 //####COPYRIGHTEND####
 //==========================================================================
@@ -61,10 +61,12 @@ bootp_handler(udp_socket_t *skt, char *b
 {
     bootp_header_t *b;
 
     b = (bootp_header_t *)buf;
     if (bp_info) {
+        if (len > sizeof *bp_info)
+            len = sizeof *bp_info;
         memcpy(bp_info, b, len);
     }
 
     if (b->bp_op == BOOTREPLY && 
        !memcmp(b->bp_chaddr, __local_enet_addr, 6)) {


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]