[Dnsmasq-discuss] [PATCH] Add support for unique TFTP root per MAC

Simon Kelley simon at thekelleys.org.uk
Sun Apr 9 22:28:48 BST 2017


Patch accepted, with one change


> 	  snprintf(daemon->namebuff+oldlen, sizeof(daemon->namebuff)-oldlen, "%.2x-%.2x-%.2x-%.2x-%.2x-%.2x/",


daemon->namebuff is a char *, so sizeof(daemon->namebuff) is 4 or 8 and
sizeof(daemon->namebuff)-oldlen is a negative number which is a large
positive number when promoted  to unsigned size_t. There's thus
effectively no protection here against buffer overflow.

In such ways are security CVEs seeded :)

A changed sizeof(daemon->namebuff) to (MAXDNAME-1) which is the
buffer-size limit used elsewhere in this code.

Cheers,

Simon.





More information about the Dnsmasq-discuss mailing list