From 7580ae52d328d955c898d5b7971a454a4587fdbb Mon Sep 17 00:00:00 2001 From: florian Date: Wed, 10 Jul 2024 10:30:46 +0000 Subject: [PATCH] Only vis(3) the option, not the rest of the packet. Lots of head scratching and help from the hackroom ensued because of a inconveniently placed \r that truncated a string and placed garbage at a weird place. --- sbin/dhcp6leased/engine.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/sbin/dhcp6leased/engine.c b/sbin/dhcp6leased/engine.c index 5ab07541653..7ae2af68406 100644 --- a/sbin/dhcp6leased/engine.c +++ b/sbin/dhcp6leased/engine.c @@ -1,4 +1,4 @@ -/* $OpenBSD: engine.c,v 1.17 2024/07/09 16:24:57 florian Exp $ */ +/* $OpenBSD: engine.c,v 1.18 2024/07/10 10:30:46 florian Exp $ */ /* * Copyright (c) 2017, 2021, 2024 Florian Obser @@ -1009,8 +1009,13 @@ parse_ia_pd_options(uint8_t *p, size_t len, struct prefix *prefix) } memcpy(&status_code, p, sizeof(uint16_t)); status_code = ntohs(status_code); - visbuf = calloc(4, len - 2); - strvisx(visbuf, p + 2, len - 2, VIS_SAFE); + /* must be at least 4 * srclen + 1 long */ + visbuf = calloc(4, opt_hdr.len - 2 + 1); + if (visbuf == NULL) { + log_warn("%s", __func__); + break; + } + strvisx(visbuf, p + 2, opt_hdr.len - 2, VIS_SAFE); log_debug("%s: %s - %s", __func__, dhcp_status2str(status_code), visbuf); break; -- 2.20.1