From bfa31a59c05c262ffe944cda8d7125b1b0f0b0c7 Mon Sep 17 00:00:00 2001 From: reyk Date: Mon, 24 Apr 2017 07:14:27 +0000 Subject: [PATCH] Don't overflow the allocated DHCP response buffer. When copying the DHCP/BOOTP response into the allocated buffer, use the calculated response length instead of the maximum size of a DHCP packet. The response length was verified correctly but the very last step missed to use it. Found by Caspar Schutijser and malloc.conf(5) "S" OK deraadt@ --- usr.sbin/vmd/dhcp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr.sbin/vmd/dhcp.c b/usr.sbin/vmd/dhcp.c index 65ea4ffae33..3fd0f727b07 100644 --- a/usr.sbin/vmd/dhcp.c +++ b/usr.sbin/vmd/dhcp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dhcp.c,v 1.2 2017/04/21 07:03:26 reyk Exp $ */ +/* $OpenBSD: dhcp.c,v 1.3 2017/04/24 07:14:27 reyk Exp $ */ /* * Copyright (c) 2017 Reyk Floeter @@ -154,7 +154,7 @@ dhcp_request(struct vionet_dev *dev, char *buf, size_t buflen, char **obuf) goto fail; } - memcpy(respbuf + offset, &resp, sizeof(resp)); + memcpy(respbuf + offset, &resp, resplen); respbuflen = offset + resplen; *obuf = respbuf; -- 2.20.1