udhcpc: fix OPTION_6RD parsing (could overflow its malloced buffer) Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>

commit: 352f79acbd759c14399e39baef21fc4ffe180ac2 [log] [tgz]
author: Denys Vlasenko <vda.linux@googlemail.com> Fri Feb 26 15:54:56 2016 +0100
committer: Denys Vlasenko <vda.linux@googlemail.com> Fri Feb 26 15:54:56 2016 +0100
tree: ce5e4d90cb44d6320eca3fc1fc794654b9c01952
parent: 5bec08cebd559c906eb94b8b957afb9f0b8db338 [diff] [blame]
diff --git a/networking/udhcp/dhcpc.c b/networking/udhcp/dhcpc.c
index 48097bc..2fe84e1 100644
--- a/networking/udhcp/dhcpc.c
+++ b/networking/udhcp/dhcpc.c

@@ -113,7 +113,7 @@
 	[OPTION_IP              ] = sizeof("255.255.255.255 "),
 	[OPTION_IP_PAIR         ] = sizeof("255.255.255.255 ") * 2,
 	[OPTION_STATIC_ROUTES   ] = sizeof("255.255.255.255/32 255.255.255.255 "),
-	[OPTION_6RD             ] = sizeof("32 128 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 255.255.255.255 "),
+	[OPTION_6RD             ] = sizeof("132 128 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 255.255.255.255 "),
 	[OPTION_STRING          ] = 1,
 	[OPTION_STRING_HOST     ] = 1,
 #if ENABLE_FEATURE_UDHCP_RFC3397
@@ -222,7 +222,7 @@
 	type = optflag->flags & OPTION_TYPE_MASK;
 	optlen = dhcp_option_lengths[type];
 	upper_length = len_of_option_as_string[type]
-		* ((unsigned)(len + optlen - 1) / (unsigned)optlen);
+		* ((unsigned)(len + optlen) / (unsigned)optlen);
 
 	dest = ret = xmalloc(upper_length + strlen(opt_name) + 2);
 	dest += sprintf(ret, "%s=", opt_name);
commit	352f79acbd759c14399e39baef21fc4ffe180ac2	[log] [tgz]
author	Denys Vlasenko <vda.linux@googlemail.com>	Fri Feb 26 15:54:56 2016 +0100
committer	Denys Vlasenko <vda.linux@googlemail.com>	Fri Feb 26 15:54:56 2016 +0100
tree	ce5e4d90cb44d6320eca3fc1fc794654b9c01952
parent	5bec08cebd559c906eb94b8b957afb9f0b8db338 [diff] [blame]