Date: Mon, 20 Mar 2017 22:20:17 +0000 (UTC) From: Toomas Soome <tsoome@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r315653 - in head: lib/libstand sys/boot/common sys/boot/i386/libi386 Message-ID: <201703202220.v2KMKHVP050735@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: tsoome Date: Mon Mar 20 22:20:17 2017 New Revision: 315653 URL: https://svnweb.freebsd.org/changeset/base/315653 Log: loader: verify the value from dhcp.interface-mtu and use snprintf to set mtu Since the uset can set dhcp.interface-mtu, we need to try to validate the value. So we verify if the conversion to int is successful and we will not allow to set value greater than max IPv4 packet size. Also use snprintf for safety. Reviewed by: allanjude, bapt Approved by: allanjude (mentor) Differential Revision: https://reviews.freebsd.org/D8492 Modified: head/lib/libstand/bootp.c head/sys/boot/common/dev_net.c head/sys/boot/i386/libi386/pxe.c Modified: head/lib/libstand/bootp.c ============================================================================== --- head/lib/libstand/bootp.c Mon Mar 20 20:44:14 2017 (r315652) +++ head/lib/libstand/bootp.c Mon Mar 20 22:20:17 2017 (r315653) @@ -39,6 +39,7 @@ __FBSDID("$FreeBSD$"); #include <sys/types.h> +#include <sys/limits.h> #include <sys/endian.h> #include <netinet/in.h> #include <netinet/in_systm.h> @@ -403,11 +404,29 @@ vend_rfc1048(cp, len) strlcpy(hostname, val, sizeof(hostname)); } if (tag == TAG_INTF_MTU) { + intf_mtu = 0; if ((val = getenv("dhcp.interface-mtu")) != NULL) { - intf_mtu = (u_int)strtoul(val, NULL, 0); - } else { - intf_mtu = be16dec(cp); + unsigned long tmp; + char *end; + + errno = 0; + /* + * Do not allow MTU to exceed max IPv4 packet + * size, max value of 16-bit word. + */ + tmp = strtoul(val, &end, 0); + if (errno != 0 || + *val == '\0' || *end != '\0' || + tmp > USHRT_MAX) { + printf("%s: bad value: \"%s\", " + "ignoring\n", + "dhcp.interface-mtu", val); + } else { + intf_mtu = (u_int)tmp; + } } + if (intf_mtu <= 0) + intf_mtu = be16dec(cp); } #ifdef SUPPORT_DHCP if (tag == TAG_DHCP_MSGTYPE) { Modified: head/sys/boot/common/dev_net.c ============================================================================== --- head/sys/boot/common/dev_net.c Mon Mar 20 20:44:14 2017 (r315652) +++ head/sys/boot/common/dev_net.c Mon Mar 20 22:20:17 2017 (r315653) @@ -175,7 +175,7 @@ net_open(struct open_file *f, ...) } if (intf_mtu != 0) { char mtu[16]; - sprintf(mtu, "%u", intf_mtu); + snprintf(mtu, sizeof(mtu), "%u", intf_mtu); setenv("boot.netif.mtu", mtu, 1); } Modified: head/sys/boot/i386/libi386/pxe.c ============================================================================== --- head/sys/boot/i386/libi386/pxe.c Mon Mar 20 20:44:14 2017 (r315652) +++ head/sys/boot/i386/libi386/pxe.c Mon Mar 20 22:20:17 2017 (r315653) @@ -342,7 +342,7 @@ pxe_open(struct open_file *f, ...) } if (intf_mtu != 0) { char mtu[16]; - sprintf(mtu, "%u", intf_mtu); + snprintf(sizeof(mtu), mtu, "%u", intf_mtu); setenv("boot.netif.mtu", mtu, 1); } printf("pxe_open: server addr: %s\n", inet_ntoa(rootip));
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201703202220.v2KMKHVP050735>