dhcpv4: Avoid a panic in ToBytes() with long strings

When BootFileName is longer than 128 bytes or ServerHostName is longer
than 64 bytes, trying to null-terminate the strings when writing out the
packet causes a panic.

Since the ToBytes() function cannot return errors, silently truncate the
string instead (we do the same with ClientHWAddr if it is longer than 16
bytes for example)

Signed-off-by: Anatole Denis <natolumin@unverle.fr>

2 files changed, 14 insertions, 4 deletions

diff --git a/dhcpv4/dhcpv4.go b/dhcpv4/dhcpv4.go
index 0bfea48..db418e1 100644
--- a/dhcpv4/dhcpv4.go
+++ b/dhcpv4/dhcpv4.go
@@ -492,13 +492,11 @@ func (d *DHCPv4) ToBytes() []byte {
 	copy(buf.WriteN(16), d.ClientHWAddr)
 
 	var sname [64]byte
-	copy(sname[:], []byte(d.ServerHostName))
-	sname[len(d.ServerHostName)] = 0
+	copy(sname[:63], []byte(d.ServerHostName))
 	buf.WriteBytes(sname[:])
 
 	var file [128]byte
-	copy(file[:], []byte(d.BootFileName))
-	file[len(d.BootFileName)] = 0
+	copy(file[:127], []byte(d.BootFileName))
 	buf.WriteBytes(file[:])
 
 	// The magic cookie.
diff --git a/dhcpv4/dhcpv4_test.go b/dhcpv4/dhcpv4_test.go
index 3198a66..aa1b2f6 100644
--- a/dhcpv4/dhcpv4_test.go
+++ b/dhcpv4/dhcpv4_test.go
@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"net"
 	"strconv"
+	"strings"
 	"testing"
 
 	"github.com/insomniacslk/dhcp/iana"
@@ -181,6 +182,17 @@ func TestNewToBytes(t *testing.T) {
 	require.Equal(t, expected, got)
 }
 
+func TestToBytesStringTooLong(t *testing.T) {
+	d, err := New()
+	if err != nil {
+		t.Fatal(err)
+	}
+	d.ServerHostName = strings.Repeat("a", 256)
+	d.BootFileName = strings.Repeat("a", 256)
+
+	require.NotPanics(t, func() { _ = d.ToBytes() })
+}
+
 func TestGetOption(t *testing.T) {
 	d, err := New()
 	if err != nil {