[Openib-windows] Possible buffer over run caused by a malformed dhcp packet.
Tzachi Dar
tzachid at mellanox.co.il
Wed Mar 8 08:15:35 PST 2006
Hi Fab,
While reading the code of the function __send_mgr_filter_dhcp I got to
think that there might be a problem of a possible buffer overrun caused
by the loop:
while( *p_option != DHCP_OPT_END )
{
switch( *p_option )
{
case DHCP_OPT_PAD:
p_option++;
break;
case DHCP_OPT_MSG:
msg = p_option[2];
p_option += 3;
break;
case DHCP_OPT_CLIENT_ID:
p_cid = p_option;
/* Fall through. */
default:
/*
* All other options have a length byte following the option code.
* Offset by the length to get to the next option.
*/
p_option += (p_option[1] + 2);
}
}
Please note that the loop assumes that the buffer will contain the
needed data to stop, however, the size of the packet is not checked, and
therefore the loop can continue passed the buffer size causing a
potential blue screen.
A similar loop exists in the function __recv_dhcp, probably with the
same problem.
Can you please see if I there is indeed a problem in this lines?
Thanks
Tzachi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openfabrics.org/pipermail/ofw/attachments/20060308/e5102470/attachment.html>
More information about the ofw
mailing list