Bug 12466

Summary: Out of bounds read in udhcp_get_option()
Product: Busybox Reporter: zhaoyuhang0313
Component: NetworkingAssignee: unassigned
Status: RESOLVED INVALID    
Severity: normal CC: busybox-cvs
Priority: P5    
Version: 1.31.x   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Host: Target:
Build:

Description zhaoyuhang0313 2020-01-14 06:14:46 UTC 
I noted that in send_ACK() and send_offer(), p_host_name is fetched and writen without making sure that its length. Shouldn't we also check if the length is 4  before calling add_lease()?
Comment 1 Denys Vlasenko 2020-01-14 16:08:04 UTC 
send_ACK():
        const char *p_host_name;
...
        p_host_name = (const char*) udhcp_get_option(oldpacket, DHCP_HOST_NAME);
        add_lease(packet.chaddr, packet.yiaddr,
                lease_time_sec,
                p_host_name,
                p_host_name ? (unsigned char)p_host_name[OPT_LEN - OPT_DATA] : 0
        );


send_offer():
                p_host_name = (const char*) udhcp_get_option(oldpacket, DHCP_HOST_NAME);
                lease = add_lease(packet.chaddr, packet.yiaddr,
                                server_data.offer_time,
                                p_host_name,
                                p_host_name ? (unsigned char)p_host_name[OPT_LEN - OPT_DATA] : 0
                );

Looks ok to me.


> Shouldn't we also check if the length is 4

No, the length is not necessarily 4.