From ff7ce1d50285d8f5467dcb4b8dd4dc08b8fc1f79 Mon Sep 17 00:00:00 2001 From: Anatole Denis Date: Tue, 8 Oct 2019 14:02:04 +0200 Subject: dhcpv4: Avoid a panic in ToBytes() with long strings When BootFileName is longer than 128 bytes or ServerHostName is longer than 64 bytes, trying to null-terminate the strings when writing out the packet causes a panic. Since the ToBytes() function cannot return errors, silently truncate the string instead (we do the same with ClientHWAddr if it is longer than 16 bytes for example) Signed-off-by: Anatole Denis --- dhcpv4/dhcpv4.go | 6 ++---- dhcpv4/dhcpv4_test.go | 12 ++++++++++++ 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/dhcpv4/dhcpv4.go b/dhcpv4/dhcpv4.go index 0bfea48..db418e1 100644 --- a/dhcpv4/dhcpv4.go +++ b/dhcpv4/dhcpv4.go @@ -492,13 +492,11 @@ func (d *DHCPv4) ToBytes() []byte { copy(buf.WriteN(16), d.ClientHWAddr) var sname [64]byte - copy(sname[:], []byte(d.ServerHostName)) - sname[len(d.ServerHostName)] = 0 + copy(sname[:63], []byte(d.ServerHostName)) buf.WriteBytes(sname[:]) var file [128]byte - copy(file[:], []byte(d.BootFileName)) - file[len(d.BootFileName)] = 0 + copy(file[:127], []byte(d.BootFileName)) buf.WriteBytes(file[:]) // The magic cookie. diff --git a/dhcpv4/dhcpv4_test.go b/dhcpv4/dhcpv4_test.go index 3198a66..aa1b2f6 100644 --- a/dhcpv4/dhcpv4_test.go +++ b/dhcpv4/dhcpv4_test.go @@ -4,6 +4,7 @@ import ( "bytes" "net" "strconv" + "strings" "testing" "github.com/insomniacslk/dhcp/iana" @@ -181,6 +182,17 @@ func TestNewToBytes(t *testing.T) { require.Equal(t, expected, got) } +func TestToBytesStringTooLong(t *testing.T) { + d, err := New() + if err != nil { + t.Fatal(err) + } + d.ServerHostName = strings.Repeat("a", 256) + d.BootFileName = strings.Repeat("a", 256) + + require.NotPanics(t, func() { _ = d.ToBytes() }) +} + func TestGetOption(t *testing.T) { d, err := New() if err != nil { -- cgit v1.2.3