10 years ago · de263ad000
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
 
				+935.	[bug]		fdupont
			
 
				+	Fixed 3 out of bounds accesses on vectors in DHCP++ code.
			
 
				+	(Trac #3854, git xxx)
			
 
				+
			
 
				 934.	[bug]		fdupont
			
 
				 	Renamed the DHCP-DDNS constant INVALID_SOCKET to SOCKET_NOT_VALID
			
 
				 	to avoid conflicting with a constant of that name defined on some
			
--- a/src/lib/dhcp/pkt4.cc
+++ b/src/lib/dhcp/pkt4.cc
@@ -124,7 +124,7 @@ Pkt4::pack() {
 
				         buffer_out_.writeUint32(giaddr_);
			
 
				 
			
 
				 
			
 
				-        if (hw_len <= MAX_CHADDR_LEN) {
			
 
				+        if ((hw_len > 0) && (hw_len <= MAX_CHADDR_LEN)) {
			
 
				             // write up to 16 bytes of the hardware address (CHADDR field is 16
			
 
				             // bytes long in DHCPv4 message).
			
 
				             buffer_out_.writeData(&hwaddr_->hwaddr_[0],
			
@@ -136,8 +136,10 @@ Pkt4::pack() {
 
				         }
			
 
				 
			
 
				         // write (len) bytes of padding
			
 
				-        vector<uint8_t> zeros(hw_len, 0);
			
 
				-        buffer_out_.writeData(&zeros[0], hw_len);
			
 
				+        if (hw_len > 0) {
			
 
				+            vector<uint8_t> zeros(hw_len, 0);
			
 
				+            buffer_out_.writeData(&zeros[0], hw_len);
			
 
				+        }
			
 
				 
			
 
				         buffer_out_.writeData(sname_, MAX_SNAME_LEN);
			
 
				         buffer_out_.writeData(file_, MAX_FILE_LEN);
			
--- a/src/lib/dhcp/pkt6.cc
+++ b/src/lib/dhcp/pkt6.cc
@@ -378,7 +378,7 @@ Pkt6::unpackRelayMsg() {
 
				         bufsize -= DHCPV6_RELAY_HDR_LEN; // 34 bytes (1+1+16+16)
			
 
				 
			
 
				         // parse the rest as options
			
 
				-        OptionBuffer opt_buffer(&data_[offset], &data_[offset+bufsize]);
			
 
				+        OptionBuffer opt_buffer(&data_[offset], &data_[offset] + bufsize);
			
 
				 
			
 
				         // If custom option parsing function has been set, use this function
			
 
				         // to parse options. Otherwise, use standard function from libdhcp.