The net_boot_file_name is a 1024 byte buffer. However, based on DHCPv6 RFC, bootfile-url length is specified by option_len, a 16-bit unsigned integer (valid range: 0-65535). Hence, one needs to make sure that option_len is less than the size of net_boot_file_name array before copying bootfile-url to net_boot_file_name.
Signed-off-by: Francois Berder <[email protected]> --- net/dhcpv6.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/net/dhcpv6.c b/net/dhcpv6.c index 5bf935cb6a3..51f44979f8e 100644 --- a/net/dhcpv6.c +++ b/net/dhcpv6.c @@ -377,6 +377,11 @@ static void dhcp6_parse_options(uchar *rx_pkt, unsigned int len) break; case DHCP6_OPTION_OPT_BOOTFILE_URL: debug("DHCP6_OPTION_OPT_BOOTFILE_URL FOUND\n"); + if (option_len >= sizeof(net_boot_file_name)) { + debug("Option length for BOOTFILE_URL is greater or equal than %zu. Skipping\n", + sizeof(net_boot_file_name)); + break; + } copy_filename(net_boot_file_name, option_ptr, option_len + 1); debug("net_boot_file_name: %s\n", net_boot_file_name); -- 2.43.0
