lwip-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [lwip-devel] [bug #36492] Static Analysis on code 1.4.0


From: Mason
Subject: Re: [lwip-devel] [bug #36492] Static Analysis on code 1.4.0
Date: Wed, 23 May 2012 12:51:48 +0200
User-agent: Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20120429 Firefox/12.0 SeaMonkey/2.9.1

Mason wrote:

> bayard wrote:
> 
>> ABR : Buffer overflow, array index of 'hwaddr' may be out of bounds.
>> Array 'hwaddr' of size 6 may use index value(s) 6..15 :
>> lwip/src/core/dhcp.c : 1683 : Critical : Analyze
> 
> I assume line 1698 in the 1.4.x branch.
> 
>   for (i = 0; i < DHCP_CHADDR_LEN; i++) {
>     /* copy netif hardware address, pad with zeroes */
>     dhcp->msg_out->chaddr[i] = (i < netif->hwaddr_len) ? netif->hwaddr[i] : 
> 0/* pad byte*/;
>   }

Simon, Kieran,

I have a patch for dhcp_create_msg.

Instead of setting several fields to 0 (sometimes using loops
to clear arrays one byte (!!) at a time), I propose clearing
the whole struct, and then writing only non-zero fields.

Would you accept it?


--- dhcp.c.orig 2012-05-14 14:10:21.578125000 +0200
+++ dhcp.c      2012-05-23 12:35:20.880351400 +0200
@@ -1672,39 +1672,21 @@
               ("transaction id xid(%"X32_F")\n", xid));
 
   dhcp->msg_out = (struct dhcp_msg *)dhcp->p_out->payload;
+  memset(dhcp->msg_out, 0, sizeof *dhcp->msg_out);
 
   dhcp->msg_out->op = DHCP_BOOTREQUEST;
   /* TODO: make link layer independent */
   dhcp->msg_out->htype = DHCP_HTYPE_ETH;
   dhcp->msg_out->hlen = netif->hwaddr_len;
-  dhcp->msg_out->hops = 0;
   dhcp->msg_out->xid = htonl(dhcp->xid);
-  dhcp->msg_out->secs = 0;
-  /* we don't need the broadcast flag since we can receive unicast traffic
-     before being fully configured! */
-  dhcp->msg_out->flags = 0;
-  ip_addr_set_zero(&dhcp->msg_out->ciaddr);
   /* set ciaddr to netif->ip_addr based on message_type and state */
   if ((message_type == DHCP_INFORM) || (message_type == DHCP_DECLINE) ||
       ((message_type == DHCP_REQUEST) && /* DHCP_BOUND not used for sending! */
        ((dhcp->state==DHCP_RENEWING) || dhcp->state==DHCP_REBINDING))) {
     ip_addr_copy(dhcp->msg_out->ciaddr, netif->ip_addr);
   }
-  ip_addr_set_zero(&dhcp->msg_out->yiaddr);
-  ip_addr_set_zero(&dhcp->msg_out->siaddr);
-  ip_addr_set_zero(&dhcp->msg_out->giaddr);
-  for (i = 0; i < DHCP_CHADDR_LEN; i++) {
-    /* copy netif hardware address, pad with zeroes */
-    dhcp->msg_out->chaddr[i] = (i < netif->hwaddr_len) ? netif->hwaddr[i] : 
0/* pad byte*/;
-  }


-- 
Regards.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]