Pi-Hole/dnsmasq
1
0
Fork 0
mirror of https://github.com/pi-hole/dnsmasq.git synced 2025-12-19 10:18:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix buffer overflow when configured lease-change script name

Browse Source 
is too long.

Thanks to Daniel Rhea for finding this one.
This commit is contained in:
Simon Kelley
2024-11-21 15:42:49 +00:00
parent b087cf4a6c
commit ae85ea3858
2 changed files with 8 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGELOG
View File

@@ -11,6 +11,10 @@ version 2.91
which is clearly rare in the wild, but if it did exist it could which is clearly rare in the wild, but if it did exist it could
provoke a SIGSEV. Thanks to Daniel Rhea for fuzzing this one. provoke a SIGSEV. Thanks to Daniel Rhea for fuzzing this one.
Fix buffer overflow when configured lease-change script name
is too long.
Thanks to Daniel Rhea for finding this one.
version 2.90 version 2.90
Fix reversion in --rev-server introduced in 2.88 which Fix reversion in --rev-server introduced in 2.88 which
caused breakage if the prefix length is not exactly divisible caused breakage if the prefix length is not exactly divisible

4
src/lease.c
View File

@@ -150,6 +150,10 @@ void lease_init(time_t now)
#ifdef HAVE_SCRIPT #ifdef HAVE_SCRIPT
if (daemon->lease_change_command) if (daemon->lease_change_command)
{ {
/* 6 == strlen(" init") plus terminator */
if (strlen(daemon->lease_change_command) + 6 > DHCP_BUFF_SZ)
die(_("lease-change script name is too long"), NULL, EC_FILE);
strcpy(daemon->dhcp_buff, daemon->lease_change_command); strcpy(daemon->dhcp_buff, daemon->lease_change_command);
strcat(daemon->dhcp_buff, " init"); strcat(daemon->dhcp_buff, " init");
leasestream = popen(daemon->dhcp_buff, "r"); leasestream = popen(daemon->dhcp_buff, "r");