From: Samuel Thibault <samuel.thibault@ens-lyon.org>
Date: Mon, 21 Jun 2021 06:38:32 +0000 (+0200)
Subject: dhcp: Always send DHCP_OPT_LEN bytes in options
X-Git-Tag: upstream/4.2.1~3
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=5e587544200aafbc621b2b5587c1e516e96bccbc;p=tools%2Fqemu-arm-static.git

dhcp: Always send DHCP_OPT_LEN bytes in options

Git-commit: d7fb54218424c3b2517aee5b391ced0f75386a5d
References: bsc#1187364, CVE-2021-3592

RFC2131 suggests that the options field may be at least 312 bytes.
Some DHCP clients seem to assume that it has to be at least 312 bytes.

Fixes #51
Fixes: f13cad45b25d92760bb0ad67bec0300a4d7d5275 ("bootp: limit
vendor-specific area to input packet memory buffer")

Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Signed-off-by: Jose R Ziviani <jose.ziviani@suse.com>
---

diff --git a/slirp/src/bootp.c b/slirp/src/bootp.c
index cafa1eb1f..d78d61b44 100644
--- a/slirp/src/bootp.c
+++ b/slirp/src/bootp.c
@@ -355,11 +355,13 @@ static void bootp_reply(Slirp *slirp,
         q += sizeof(nak_msg) - 1;
     }
     assert(q < end);
-    *q = RFC1533_END;
+    *q++ = RFC1533_END;
 
     daddr.sin_addr.s_addr = 0xffffffffu;
 
-    m->m_len = sizeof(struct bootp_t) - sizeof(struct ip) - sizeof(struct udphdr);
+    assert(q <= end);
+
+    m->m_len = sizeof(struct bootp_t) + (end - rbp->bp_vend) - sizeof(struct ip) - sizeof(struct udphdr);
     udp_output(NULL, m, &saddr, &daddr, IPTOS_LOWDELAY);
 }