Bug fix for BOOTP client

Patrick Kelsey pjk at wmi.com
Wed Nov 29 15:15:13 UTC 2000

The attached diff fixes a bug in the options processing code of the RTEMS
BOOTP client that under certain conditions can result in memory corruption.
The essence of the problem is that there is an ambiguity in how the DHCP
options override mechanism  is to be implemented and the current code is not
robust with respect to this ambiguity.  The current code assumes that if the
options override mechanism is used, then each field in the packet containing
options begins with an option code.  For one, the linux DHCP server does not
function this way.  When using the options override mechansim, it partitions
the whole options string among the separate buffers at the buffer
boundaries, not on option code boundaries.  This can result in the secondary
and tertiary options buffers beginning with something other than an option
code.  One of the symptoms of this problem is spurious 'Truncated field
code...' messages during the bootp process.  There are several cases that
can result in memory corruption, depending on the actual data in the options
buffers.  I can give specific examples to any interested parties.

The enclosed fix reduces the assumptions about the way the options override
mechanism is used to the assumption that if it is used AND both the file and
sname fields are overridden, then the file field is filled before the sname

Patrick Kelsey

Woodward McCoach, Inc.        (voice) 877.284.4804 x126
pjk at wmi.com                            (fax) 610.436.8258
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bootp_subr.diff
Type: application/octet-stream
Size: 6080 bytes
Desc: not available
URL: <http://lists.rtems.org/pipermail/users/attachments/20001129/0854cecc/attachment.obj>

More information about the users mailing list