Blame dhcp-4.0.0-CVE-2009-0692.patch
|
|
ee2ed19 |
diff -up dhcp-4.0.0/client/dhclient.c.CVE-2009-0692 dhcp-4.0.0/client/dhclient.c
|
|
|
ee2ed19 |
--- dhcp-4.0.0/client/dhclient.c.CVE-2009-0692 2007-11-30 11:51:42.000000000 -1000
|
|
|
ee2ed19 |
+++ dhcp-4.0.0/client/dhclient.c 2009-08-05 12:10:19.000000000 -1000
|
|
|
ee2ed19 |
@@ -2813,8 +2813,15 @@ void script_write_params (client, prefix
|
|
|
ee2ed19 |
if (data.len > 3) {
|
|
|
ee2ed19 |
struct iaddr netmask, subnet, broadcast;
|
|
|
ee2ed19 |
|
|
|
ee2ed19 |
- memcpy (netmask.iabuf, data.data, data.len);
|
|
|
ee2ed19 |
- netmask.len = data.len;
|
|
|
ee2ed19 |
+ /*
|
|
|
ee2ed19 |
+ * No matter the length of the subnet-mask option,
|
|
|
ee2ed19 |
+ * use only the first four octets. Note that
|
|
|
ee2ed19 |
+ * subnet-mask options longer than 4 octets are not
|
|
|
ee2ed19 |
+ * in conformance with RFC 2132, but servers with this
|
|
|
ee2ed19 |
+ * flaw do exist.
|
|
|
ee2ed19 |
+ */
|
|
|
ee2ed19 |
+ memcpy(netmask.iabuf, data.data, 4);
|
|
|
ee2ed19 |
+ netmask.len = 4;
|
|
|
ee2ed19 |
data_string_forget (&data, MDL);
|
|
|
ee2ed19 |
|
|
|
ee2ed19 |
subnet = subnet_number (lease -> address, netmask);
|