From owner-svn-src-head@freebsd.org  Mon Mar 20 22:20:18 2017
Return-Path: <owner-svn-src-head@freebsd.org>
Delivered-To: svn-src-head@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id BE6ADD1419A;
 Mon, 20 Mar 2017 22:20:18 +0000 (UTC)
 (envelope-from tsoome@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 80CD81E08;
 Mon, 20 Mar 2017 22:20:18 +0000 (UTC)
 (envelope-from tsoome@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v2KMKHwV050738;
 Mon, 20 Mar 2017 22:20:17 GMT (envelope-from tsoome@FreeBSD.org)
Received: (from tsoome@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id v2KMKHVP050735;
 Mon, 20 Mar 2017 22:20:17 GMT (envelope-from tsoome@FreeBSD.org)
Message-Id: <201703202220.v2KMKHVP050735@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: tsoome set sender to
 tsoome@FreeBSD.org using -f
From: Toomas Soome <tsoome@FreeBSD.org>
Date: Mon, 20 Mar 2017 22:20:17 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r315653 - in head: lib/libstand sys/boot/common
 sys/boot/i386/libi386
X-SVN-Group: head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Mar 2017 22:20:18 -0000

Author: tsoome
Date: Mon Mar 20 22:20:17 2017
New Revision: 315653
URL: https://svnweb.freebsd.org/changeset/base/315653

Log:
  loader: verify the value from dhcp.interface-mtu and use snprintf to set mtu
  
  Since the uset can set dhcp.interface-mtu, we need to try to validate the
  value. So we verify if the conversion to int is successful and we will not
  allow to set value greater than max IPv4 packet size.
  
  Also use snprintf for safety.
  
  Reviewed by:	allanjude, bapt
  Approved by:	allanjude (mentor)
  Differential Revision:	https://reviews.freebsd.org/D8492

Modified:
  head/lib/libstand/bootp.c
  head/sys/boot/common/dev_net.c
  head/sys/boot/i386/libi386/pxe.c

Modified: head/lib/libstand/bootp.c
==============================================================================
--- head/lib/libstand/bootp.c	Mon Mar 20 20:44:14 2017	(r315652)
+++ head/lib/libstand/bootp.c	Mon Mar 20 22:20:17 2017	(r315653)
@@ -39,6 +39,7 @@
 __FBSDID("$FreeBSD$");
 
 #include <sys/types.h>
+#include <sys/limits.h>
 #include <sys/endian.h>
 #include <netinet/in.h>
 #include <netinet/in_systm.h>
@@ -403,11 +404,29 @@ vend_rfc1048(cp, len)
 			strlcpy(hostname, val, sizeof(hostname));
 		}
 		if (tag == TAG_INTF_MTU) {
+			intf_mtu = 0;
 			if ((val = getenv("dhcp.interface-mtu")) != NULL) {
-				intf_mtu = (u_int)strtoul(val, NULL, 0);
-			} else {
-				intf_mtu = be16dec(cp);
+				unsigned long tmp;
+				char *end;
+
+				errno = 0;
+				/*
+				 * Do not allow MTU to exceed max IPv4 packet
+				 * size, max value of 16-bit word.
+				 */
+				tmp = strtoul(val, &end, 0);
+				if (errno != 0 ||
+				    *val == '\0' || *end != '\0' ||
+				    tmp > USHRT_MAX) {
+					printf("%s: bad value: \"%s\", "
+					    "ignoring\n",
+					    "dhcp.interface-mtu", val);
+				} else {
+					intf_mtu = (u_int)tmp;
+				}
 			}
+			if (intf_mtu <= 0)
+				intf_mtu = be16dec(cp);
 		}
 #ifdef SUPPORT_DHCP
 		if (tag == TAG_DHCP_MSGTYPE) {

Modified: head/sys/boot/common/dev_net.c
==============================================================================
--- head/sys/boot/common/dev_net.c	Mon Mar 20 20:44:14 2017	(r315652)
+++ head/sys/boot/common/dev_net.c	Mon Mar 20 22:20:17 2017	(r315653)
@@ -175,7 +175,7 @@ net_open(struct open_file *f, ...)
 		}
 		if (intf_mtu != 0) {
 			char mtu[16];
-			sprintf(mtu, "%u", intf_mtu);
+			snprintf(mtu, sizeof(mtu), "%u", intf_mtu);
 			setenv("boot.netif.mtu", mtu, 1);
 		}
 

Modified: head/sys/boot/i386/libi386/pxe.c
==============================================================================
--- head/sys/boot/i386/libi386/pxe.c	Mon Mar 20 20:44:14 2017	(r315652)
+++ head/sys/boot/i386/libi386/pxe.c	Mon Mar 20 22:20:17 2017	(r315653)
@@ -342,7 +342,7 @@ pxe_open(struct open_file *f, ...)
 			}
 			if (intf_mtu != 0) {
 				char mtu[16];
-				sprintf(mtu, "%u", intf_mtu);
+				snprintf(sizeof(mtu), mtu, "%u", intf_mtu);
 				setenv("boot.netif.mtu", mtu, 1);
 			}
 			printf("pxe_open: server addr: %s\n", inet_ntoa(rootip));