Don't overflow the allocated DHCP response buffer.

When copying the DHCP/BOOTP response into the allocated buffer, use
the calculated response length instead of the maximum size of a DHCP
packet.  The response length was verified correctly but the very last
step missed to use it.

Found by Caspar Schutijser and malloc.conf(5) "S"

OK deraadt@

diff --git a/usr.sbin/vmd/dhcp.c b/usr.sbin/vmd/dhcp.c
index 65ea4ff..3fd0f72 100644 (file)
--- a/usr.sbin/vmd/dhcp.c
+++ b/usr.sbin/vmd/dhcp.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: dhcp.c,v 1.2 2017/04/21 07:03:26 reyk Exp $   */
+/*     $OpenBSD: dhcp.c,v 1.3 2017/04/24 07:14:27 reyk Exp $   */
 
 /*
  * Copyright (c) 2017 Reyk Floeter <reyk@openbsd.org>
@@ -154,7 +154,7 @@ dhcp_request(struct vionet_dev *dev, char *buf, size_t buflen, char **obuf)
                goto fail;
        }
 
-       memcpy(respbuf + offset, &resp, sizeof(resp));
+       memcpy(respbuf + offset, &resp, resplen);
        respbuflen = offset + resplen;
 
        *obuf = respbuf;