diff options
Diffstat (limited to 'net/bootp.c')
| -rw-r--r-- | net/bootp.c | 24 |
1 files changed, 10 insertions, 14 deletions
diff --git a/net/bootp.c b/net/bootp.c index 19e7453daed..64fca9a42d9 100644 --- a/net/bootp.c +++ b/net/bootp.c @@ -379,6 +379,14 @@ static void bootp_handler(uchar *pkt, unsigned dest, struct in_addr sip, debug("got BOOTP packet (src=%d, dst=%d, len=%d want_len=%zu)\n", src, dest, len, sizeof(struct bootp_hdr)); + /* Check the minimum size of a BOOTP packet is respected. + * A BOOTP packet is between 300 bytes and 576 bytes big + */ + if (len < offsetof(struct bootp_hdr, bp_vend) + 64) { + printf("Error: got an invalid BOOTP packet (len=%u)\n", len); + return; + } + bp = (struct bootp_hdr *)pkt; /* Filter out pkts we don't want */ @@ -396,7 +404,8 @@ static void bootp_handler(uchar *pkt, unsigned dest, struct in_addr sip, /* Retrieve extended information (we must parse the vendor area) */ if (net_read_u32((u32 *)&bp->bp_vend[0]) == htonl(BOOTP_VENDOR_MAGIC)) - bootp_process_vendor((uchar *)&bp->bp_vend[4], len); + bootp_process_vendor((uchar *)&bp->bp_vend[4], len - + (offsetof(struct bootp_hdr, bp_vend) + 4)); net_set_timeout_handler(0, (thand_f *)0); bootstage_mark_name(BOOTSTAGE_ID_BOOTP_STOP, "bootp_stop"); @@ -491,9 +500,6 @@ static int dhcp_extended(u8 *e, int message_type, struct in_addr server_ip, #endif int clientarch = -1; -#if defined(CONFIG_BOOTP_VENDOREX) - u8 *x; -#endif #if defined(CONFIG_BOOTP_SEND_HOSTNAME) char *hostname; #endif @@ -584,12 +590,6 @@ static int dhcp_extended(u8 *e, int message_type, struct in_addr server_ip, e = add_vci(e); -#if defined(CONFIG_BOOTP_VENDOREX) - x = dhcp_vendorex_prep(e); - if (x) - return x - start; -#endif - *e++ = 55; /* Parameter Request List */ cnt = e++; /* Pointer to count of requested items */ *cnt = 0; @@ -977,10 +977,6 @@ static void dhcp_process_options(uchar *popt, uchar *end) } break; default: -#if defined(CONFIG_BOOTP_VENDOREX) - if (dhcp_vendorex_proc(popt)) - break; -#endif printf("*** Unhandled DHCP Option in OFFER/ACK:" " %d\n", *popt); break; |