diff options
| author | Ed Maste <emaste@FreeBSD.org> | 2018-12-19 18:16:29 +0000 |
|---|---|---|
| committer | Ed Maste <emaste@FreeBSD.org> | 2018-12-19 18:16:29 +0000 |
| commit | 1e13299fd87e57a03d4f95ab21b6c646497b4dfe (patch) | |
| tree | e5ae7a3409e9596ef5a2b0abcb56db6ab12b0e7d /libexec | |
| parent | 53941c0a736c8dd7c42c5228fa6a26663af4d315 (diff) | |
| download | src-1e13299fd87e57a03d4f95ab21b6c646497b4dfe.tar.gz src-1e13299fd87e57a03d4f95ab21b6c646497b4dfe.zip | |
bootpd: validate hardware type
Due to insufficient validation of network-provided data it may have been
possible for a malicious actor to craft a bootp packet which could cause
a stack buffer overflow.
admbugs: 850
Reported by: Reno Robert
Reviewed by: markj
Approved by: so
Security: FreeBSD-SA-18:15.bootpd
Sponsored by: The FreeBSD Foundation
Notes
Notes:
svn path=/head/; revision=342227
Diffstat (limited to 'libexec')
| -rw-r--r-- | libexec/bootpd/bootpd.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/libexec/bootpd/bootpd.c b/libexec/bootpd/bootpd.c index fe9cefa3de42..afd5c77d6a99 100644 --- a/libexec/bootpd/bootpd.c +++ b/libexec/bootpd/bootpd.c @@ -636,6 +636,10 @@ handle_request() char *homedir, *bootfile; int n; + if (bp->bp_htype >= hwinfocnt) { + report(LOG_NOTICE, "bad hw addr type %u", bp->bp_htype); + return; + } bp->bp_file[sizeof(bp->bp_file)-1] = '\0'; /* XXX - SLIP init: Set bp_ciaddr = recv_addr here? */ |