[PATCH] libnetworking/rtems_dhcp.c: Fix improper hostname handling in DHCP request

Thu Jan 7 06:37:27 UTC 2016

On 07/01/16 02:38, Aun-Ali Zaidi wrote:
> From: Tim Cussins <timcussins at eml.cc>
>
> DHCP requests add the hostname option in dhcp_request_req() - this is cool, except that the dhcp
> spec requires that this option has a length >= 1 char.
>
> Excerpt taken from RFC 2132:
>
>     3.14. Host Name Option
>
>     This option specifies the name of the client.  The name may or may
>     not be qualified with the local domain name (see section 3.17 for the
>     preferred way to retrieve the domain name).  See RFC 1035 for
>     character set restrictions.
>
>     The code for this option is 12, and its minimum length is 1.
>
>      Code   Len                 Host Name
>     +-----+-----+-----+-----+-----+-----+-----+-----+--
>     |  12 |  n  |  h1 |  h2 |  h3 |  h4 |  h5 |  h6 |  ...
>     +-----+-----+-----+-----+-----+-----+-----+-----+--
>
> At present, the hostname is added regardless. This appears to trigger a bug in a specific Netgear
> router that causes it's dhcp process to lock up.
>
> closes #1405.
> ---
>   cpukit/libnetworking/rtems/rtems_dhcp.c | 16 ++++++++++++----
>   1 file changed, 12 insertions(+), 4 deletions(-)
>
> diff --git a/cpukit/libnetworking/rtems/rtems_dhcp.c b/cpukit/libnetworking/rtems/rtems_dhcp.c
> index cb6966d..c0c95f5 100644
> --- a/cpukit/libnetworking/rtems/rtems_dhcp.c
> +++ b/cpukit/libnetworking/rtems/rtems_dhcp.c
> @@ -681,10 +681,18 @@ dhcp_request_req (struct dhcp_packet* call,
>     {
>       if (gethostname (hostname, MAXHOSTNAMELEN) == 0)
>       {
> -      call->vend[len++] = DHCP_HOST;
> -      call->vend[len++] = strlen (hostname);
> -      strcpy ((char*) &call->vend[len], hostname);
> -      len += strlen (hostname);
> +      /* RFC 2132 Section 3.14 dictates min length for this option is 1 char.
> +         If hostname is zero-length, then let's just not add it */
> +
> +      size_t hostnamelen = strlen (hostname);
> +
> +      if (hostnamelen > 0 && hostnamelen < MAXHOSTNAMELEN)
> +      {
> +        call->vend[len++] = DHCP_HOST;
> +	call->vend[len++] = (uint8_t) hostnamelen;

What guarantees that this reduction of hostnamelen to 8-bits is well 
defined?

> +	memcpy (&call->vend[len], hostname, hostnamelen);
> +	len += (int) hostnamelen;

What guarantees that you have enough space for this memcpy() in the 
destination buffer?

> +      }
>       }
>       free (hostname, 0);
>     }

-- 
Sebastian Huber, embedded brains GmbH

Address : Dornierstr. 4, D-82178 Puchheim, Germany
Phone   : +49 89 189 47 41-16
Fax     : +49 89 189 47 41-09
E-Mail  : sebastian.huber at embedded-brains.de
PGP     : Public key available on request.

Diese Nachricht ist keine geschäftliche Mitteilung im Sinne des EHUG.