aboutgitcodebugslistschat
path: root/dhcp.c
diff options
context:
space:
mode:
authorStefano Brivio <sbrivio@redhat.com>2021-02-21 11:33:38 +0100
committerStefano Brivio <sbrivio@redhat.com>2021-02-21 11:55:49 +0100
commit8bca388e8a771d069b2a2d4ac47589112f6f0af3 (patch)
tree6e934d87ab33ef3116da032c3f5acb044c0cc6cc /dhcp.c
parent105b916361ca6e9e63112444c323cc193303120c (diff)
downloadpasst-8bca388e8a771d069b2a2d4ac47589112f6f0af3.tar
passt-8bca388e8a771d069b2a2d4ac47589112f6f0af3.tar.gz
passt-8bca388e8a771d069b2a2d4ac47589112f6f0af3.tar.bz2
passt-8bca388e8a771d069b2a2d4ac47589112f6f0af3.tar.lz
passt-8bca388e8a771d069b2a2d4ac47589112f6f0af3.tar.xz
passt-8bca388e8a771d069b2a2d4ac47589112f6f0af3.tar.zst
passt-8bca388e8a771d069b2a2d4ac47589112f6f0af3.zip
passt: Assorted fixes from "fresh eyes" review
A bunch of fixes not worth single commits at this stage, notably: - make buffer, length parameter ordering consistent in ARP, DHCP, NDP handlers - strict checking of buffer, message and option length in DHCP handler (a malicious client could have easily crashed it) - set up forwarding for IPv4 and IPv6, and masquerading with nft for IPv4, from demo script - get rid of separate slow and fast timers, we don't save any overhead that way - stricter checking of buffer lengths as passed to tap handlers - proper dequeuing from qemu socket back-end: I accidentally trashed messages that were bundled up together in a single tap read operation -- the length header tells us what's the size of the next frame, but there's no apparent limit to the number of messages we get with one single receive - rework some bits of the TCP state machine, now passive and active connection closes appear to be robust -- introduce a new FIN_WAIT_1_SOCK_FIN state indicating a FIN_WAIT_1 with a FIN flag from socket - streamline TCP option parsing routine - track TCP state changes to stderr (this is temporary, proper debugging and syslogging support pending) - observe that multiplying a number by four might very well change its value, and this happens to be the case for the data offset from the TCP header as we check if it's the same as the total length to find out if it's a duplicated ACK segment - recent estimates suggest that the duration of a millisecond is closer to a million nanoseconds than a thousand of them, this trend is now reflected into the timespec_diff_ms() convenience routine Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Diffstat (limited to 'dhcp.c')
-rw-r--r--dhcp.c29
1 files changed, 23 insertions, 6 deletions
diff --git a/dhcp.c b/dhcp.c
index 3af4ace..d4a5261 100644
--- a/dhcp.c
+++ b/dhcp.c
@@ -163,22 +163,39 @@ static int fill(struct msg *m)
*
* Return: 0 if it's not a DHCP message, 1 if handled, -1 on failure
*/
-int dhcp(struct ctx *c, unsigned len, struct ethhdr *eh)
+int dhcp(struct ctx *c, struct ethhdr *eh, size_t len)
{
struct iphdr *iph = (struct iphdr *)(eh + 1);
- struct udphdr *uh = (struct udphdr *)((char *)iph + iph->ihl * 4);
- struct msg *m = (struct msg *)(uh + 1);
- unsigned int i, mlen = len - sizeof(*eh) - sizeof(*iph);
+ size_t mlen, olen;
+ struct udphdr *uh;
+ unsigned int i;
+ struct msg *m;
+
+ if (len < sizeof(*eh) + sizeof(*iph))
+ return 0;
+
+ if (len < sizeof(*eh) + iph->ihl * 4 + sizeof(*uh))
+ return 0;
+
+ uh = (struct udphdr *)((char *)iph + iph->ihl * 4);
+ m = (struct msg *)(uh + 1);
if (uh->dest != htons(67))
return 0;
- if (mlen != ntohs(uh->len) || mlen < offsetof(struct msg, o) ||
+ mlen = len - sizeof(*eh) - iph->ihl * 4 - sizeof(*uh);
+ if (mlen != ntohs(uh->len) - sizeof(*uh) ||
+ mlen < offsetof(struct msg, o) ||
m->op != BOOTREQUEST)
return -1;
- for (i = 0; i < mlen - offsetof(struct msg, o); i += m->o[i + 1] + 2)
+ olen = mlen - offsetof(struct msg, o);
+ for (i = 0; i + 2 < olen; i += m->o[i + 1] + 2) {
+ if (m->o[i + 1] + i + 2 >= olen)
+ return -1;
+
memcpy(&opts[m->o[i]].c, &m->o[i + 2], m->o[i + 1]);
+ }
if (opts[53].c[0] == DHCPDISCOVER) {
fprintf(stderr, "DHCP: offer to discover");