ref: 8ebea821591cafd8a604806cb202cf0860f71232
parent: 0404370083c69d8ec0f2d8bcb4826ca9c54d9ee5
author: cinap_lenrek <cinap_lenrek@felloff.net>
date: Sun May 14 20:57:15 EDT 2023
dhcp: fix out of bounds access in "ANDROID_METERED" fix the previous change introduces a out of bounds access as it does not change n. it is also conceptually wrong because this routine is supposed to just verify the structure. as later getopts() is *NOT* going to deal with malfored TLV's. this actually replaces the android magic garbage with OBpad bytes, which getopts() later will handle correctly and makes sure the garbage is fully contained within the buffer boundaries. thanks sigrid for testing.
--- a/sys/src/cmd/ip/ipconfig/dhcp.c
+++ b/sys/src/cmd/ip/ipconfig/dhcp.c
@@ -951,10 +951,10 @@
while (n > 0) {/* Android shouldn't be sending us this garbage; filter it out */
- if(strncmp((char*)p, "ANDROID_METERED", n) == 0){- p += strlen("ANDROID_METERED");- continue;
- }
+ static char garbage[] = "ANDROID_METERED";
+ if(n >= sizeof(garbage)-1 && memcmp(p, garbage, sizeof(garbage)-1) == 0)
+ memset(p, OBpad, sizeof(garbage)-1);
+
code = *p++;
n--;
if(code == OBend)
--
⑨