| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
| |
|
|\
| |
| | |
Alignment fixes
|
| |
| |
| |
| |
| |
| |
| | |
md5_final() writes to the hash buffer in 32-bit chunks, so it needs
to be 32-bit aligned.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
| |
| |
| |
| | |
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The packet buffer needs to be 32-bit aligned to ensure that the various
32-bit fields we pick out are naturally aligned.
The control message buffers needs to be naturally aligned for struct
cmsghdr.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
| |
| |
| |
| |
| |
| |
| | |
struct odhcp6c_entry is not declared as __packed, so the compiler may
assume it is naturally aligned.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
|\ \
| |/
|/| |
Security/regression fixes
|
| |
| |
| |
| |
| |
| | |
The end of the IA option is odata + olen; there's no need to add anything.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
| |
| |
| |
| |
| |
| |
| | |
I broke entry_to_env() by incrementing the wrong variable in commit
a6bbd1d7f5c2 ("Fix potential buffer overflow in entry_to_env").
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
After removing an entry, the next entry will be at the same offset as
the entry we just removed. Also the total length will have changed.
Update the length when we remove an entry, and advance the offset only
when we don't.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
|/
|
|
|
|
|
|
|
|
| |
When setting an environment variable as a space-separated list, and
the list is empty, we must not delete the '=' before the value.
In practice putenv() is likely to discard the invalid string, leaving
the variable unset, but this is not guaranteed.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
|
|
|
|
|
|
| |
These might be redundant with checks elsewhere but it's better to be
safe.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
|
|
|
|
|
|
|
|
| |
We should not include any control characters from the server status
message when logging it; in particular if we include '\n' this could
result in additional arbitrary log lines. In dhcpv6_log_status_code,
replace all control characters with '?'.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
|
|
|
|
|
|
|
|
|
|
|
| |
We currently only support PD exclusions that only affect bits 64-95 of
the address, so we require:
32 <= PD prefix length < exclusion prefix length <= 64
The first inequality was not validated, and this could result in a
buffer overflow when generating the next request message.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
|
|
|
|
|
|
|
| |
If we fail to store information from the new server, the associated
NA and PD options will never be freed. An attacker could use this
for denial-of-service.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
|
|
|
|
|
| |
Some callers will need to free resources on failure.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
|
|
|
|
|
|
| |
An 8-bit prefix-length field can be as large as 255, but values larger
than 128 will result in a buffer overflow when copying to in6.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
|
|
|
|
|
|
| |
We need to allow for '=', negative sign, 10 digits and the null
terminator, adding up to 13 bytes not 12.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It appears that an entry of type ENTRY_PREFIX with iaid != 1 and an
exclusion can expand to a string of length up to 154 bytes, whereas we
allocate only 144 bytes per entry.
Also, in case of truncation, snprintf() returns the length of the
un-truncated output so we must not use this to increment buf_len.
Finally some of the lengths given to snprintf() are unnecessarily
generous. Reduce them so we don't have to increase the allocated
length per entry further.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
|
|
|
|
|
|
| |
If dn_expand() returns an error we could copy from an uninitialised
output buffer or append the previous domain name again.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
|
|
|
|
|
|
|
|
| |
Actions launched as resume will be used in a next script_call
if the new action is not marked as resume even when the previous
script run was already terminated.
This behavior is particular visible when a RA is received as
the script will run with action bound and not ra-updated
resulting into a wan6 interface down/up transition
|
| |
|
|\ |
|
| | |
|
|/ |
|
|
|
|
| |
Signed-off-by: Steven Barth <steven@midlink.org>
|
| |
|
|
|
|
|
|
|
| |
Start with Information-request when configured not to ask
IA_NA/IA_PD. It allows to complete the exchange using only
two messages, instead of four, and fixes infinite Advertise
waiting loop with servers that just ignore Solicit messages.
|
|
|
|
| |
Signed-off-by: Steven Barth <steven@midlink.org>
|
|
|
|
| |
Signed-off-by: Steven Barth <steven@midlink.org>
|
|
|
|
| |
Signed-off-by: Steven Barth <steven@midlink.org>
|
| |
|
|
|
|
| |
Signed-off-by: Steven Barth <steven@midlink.org>
|
|
|
|
| |
Signed-off-by: Steven Barth <steven@midlink.org>
|
|
|
|
| |
Signed-off-by: Steven Barth <steven@midlink.org>
|
| |
|
| |
|
|
|
|
| |
Signed-off-by: Steven Barth <steven@midlink.org>
|
|
|
|
| |
Signed-off-by: John Crispin <blogic@openwrt.org>
|
|
|
|
| |
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
|
| |
|
|
|
|
| |
Signed-off-by: Steven Barth <steven@midlink.org>
|
| |
|
| |
|
|
|
|
|
| |
Document that the value of -c must be a 16-bit type (network byte order) followed by a client-ID value.
For example, to use a UUID based client-ID (type 4, RFC 6355) one could use the following cmdline option:
-c0004<128_bit_uuid_in_hex>
|
| |
|
| |
|
|
|
|
| |
Signed-off-by: Steven Barth <steven@midlink.org>
|
| |
|