From 8d45162a59481cc6ed35e9ff9ebf13b18cbf7d9a Mon Sep 17 00:00:00 2001 From: Dirk Ziegelmeier Date: Tue, 30 Aug 2016 21:33:43 +0200 Subject: [PATCH] Fix usage of uninitialized data in dhcp.c by checking pbuf_copy_partial() return value --- src/core/ipv4/dhcp.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/src/core/ipv4/dhcp.c b/src/core/ipv4/dhcp.c index 46bfcf2c..4ffd86b0 100644 --- a/src/core/ipv4/dhcp.c +++ b/src/core/ipv4/dhcp.c @@ -1493,7 +1493,7 @@ again: int decode_idx = -1; u16_t val_offset = offset + 2; /* len byte might be in the next pbuf */ - if (offset + 1 < q->len) { + if ((offset + 1) < q->len) { len = options[offset + 1]; } else { len = (q->next != NULL ? ((u8_t*)q->next->payload)[0] : 0); @@ -1572,7 +1572,9 @@ decode_next: LWIP_ASSERT("check decode_idx", decode_idx >= 0 && decode_idx < DHCP_OPTION_IDX_MAX); if (!dhcp_option_given(dhcp, decode_idx)) { copy_len = LWIP_MIN(decode_len, 4); - pbuf_copy_partial(q, &value, copy_len, val_offset); + if (pbuf_copy_partial(q, &value, copy_len, val_offset) != copy_len) { + return ERR_BUF; + } if (decode_len > 4) { /* decode more than one u32_t */ LWIP_ERROR("decode_len % 4 == 0", decode_len % 4 == 0, return ERR_VAL;); @@ -1628,7 +1630,9 @@ decode_next: if (dhcp_option_given(dhcp, DHCP_OPTION_IDX_MSG_TYPE) && (dhcp_get_option_value(dhcp, DHCP_OPTION_IDX_MSG_TYPE) == DHCP_ACK)) /* copy bootp file name, don't care for sname (server hostname) */ - pbuf_copy_partial(p, dhcp->boot_file_name, DHCP_FILE_LEN-1, DHCP_FILE_OFS); + if (pbuf_copy_partial(p, dhcp->boot_file_name, DHCP_FILE_LEN-1, DHCP_FILE_OFS) != (DHCP_FILE_LEN-1)) { + return ERR_BUF; + } /* make sure the string is really NULL-terminated */ dhcp->boot_file_name[DHCP_FILE_LEN-1] = 0; }