From owner-svn-src-all@freebsd.org  Thu May 12 04:28:23 2016
Return-Path: <owner-svn-src-all@freebsd.org>
Delivered-To: svn-src-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5361CB3777F;
 Thu, 12 May 2016 04:28:23 +0000 (UTC) (envelope-from cem@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 0BAC7112B;
 Thu, 12 May 2016 04:28:22 +0000 (UTC) (envelope-from cem@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u4C4SMR9050810;
 Thu, 12 May 2016 04:28:22 GMT (envelope-from cem@FreeBSD.org)
Received: (from cem@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id u4C4SMJc050809;
 Thu, 12 May 2016 04:28:22 GMT (envelope-from cem@FreeBSD.org)
Message-Id: <201605120428.u4C4SMJc050809@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: cem set sender to cem@FreeBSD.org
 using -f
From: "Conrad E. Meyer" <cem@FreeBSD.org>
Date: Thu, 12 May 2016 04:28:22 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r299512 - head/sbin/dhclient
X-SVN-Group: head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 12 May 2016 04:28:23 -0000

Author: cem
Date: Thu May 12 04:28:22 2016
New Revision: 299512
URL: https://svnweb.freebsd.org/changeset/base/299512

Log:
  dhclient: Fix some trivial buffer overruns
  
  There was some confusion about how to limit a hardware address to at most 16
  bytes.  In some cases it would overrun a byte off the end of the array.
  Correct the types and rectify the overrun.
  
  Reported by:	Coverity
  CIDs:		1008682, 1305550
  Sponsored by:	EMC / Isilon Storage Division

Modified:
  head/sbin/dhclient/dhclient.c

Modified: head/sbin/dhclient/dhclient.c
==============================================================================
--- head/sbin/dhclient/dhclient.c	Thu May 12 04:08:45 2016	(r299511)
+++ head/sbin/dhclient/dhclient.c	Thu May 12 04:28:22 2016	(r299512)
@@ -56,6 +56,8 @@
 #include <sys/cdefs.h>
 __FBSDID("$FreeBSD$");
 
+#include <stddef.h>
+
 #include "dhcpd.h"
 #include "privsep.h"
 
@@ -1570,16 +1572,18 @@ make_discover(struct interface_info *ip,
 	}
 
 	/* set unique client identifier */
-	char client_ident[sizeof(struct hardware)];
+	struct hardware client_ident;
 	if (!options[DHO_DHCP_CLIENT_IDENTIFIER]) {
-		int hwlen = (ip->hw_address.hlen < sizeof(client_ident)-1) ?
-				ip->hw_address.hlen : sizeof(client_ident)-1;
-		client_ident[0] = ip->hw_address.htype;
-		memcpy(&client_ident[1], ip->hw_address.haddr, hwlen);
+		size_t hwlen = MIN(ip->hw_address.hlen,
+		    sizeof(client_ident.haddr));
+		client_ident.htype = ip->hw_address.htype;
+		client_ident.hlen = hwlen;
+		memcpy(client_ident.haddr, ip->hw_address.haddr, hwlen);
 		options[DHO_DHCP_CLIENT_IDENTIFIER] = &option_elements[DHO_DHCP_CLIENT_IDENTIFIER];
-		options[DHO_DHCP_CLIENT_IDENTIFIER]->value = client_ident;
-		options[DHO_DHCP_CLIENT_IDENTIFIER]->len = hwlen+1;
-		options[DHO_DHCP_CLIENT_IDENTIFIER]->buf_size = hwlen+1;
+		options[DHO_DHCP_CLIENT_IDENTIFIER]->value = (void *)&client_ident;
+		hwlen += offsetof(struct hardware, haddr);
+		options[DHO_DHCP_CLIENT_IDENTIFIER]->len = hwlen;
+		options[DHO_DHCP_CLIENT_IDENTIFIER]->buf_size = hwlen;
 		options[DHO_DHCP_CLIENT_IDENTIFIER]->timeout = 0xFFFFFFFF;
 	}
 
@@ -1605,8 +1609,8 @@ make_discover(struct interface_info *ip,
 	    0, sizeof(ip->client->packet.siaddr));
 	memset(&(ip->client->packet.giaddr),
 	    0, sizeof(ip->client->packet.giaddr));
-	memcpy(ip->client->packet.chaddr,
-	    ip->hw_address.haddr, ip->hw_address.hlen);
+	memcpy(ip->client->packet.chaddr, ip->hw_address.haddr,
+	    MIN(ip->hw_address.hlen, sizeof(ip->client->packet.chaddr)));
 }