loader: verify the value from dhcp.interface-mtu and use snprintf to set mtu

Since the uset can set dhcp.interface-mtu, we need to try to validate the value. So we verify if the conversion to int is successful and we will not allow to set value greater than max IPv4 packet size. Also use snprintf for safety. Reviewed by: allanjude, bapt Approved by: allanjude (mentor) Differential Revision: https://reviews.freebsd.org/D8492
svn path=/head/; revision=315653
2025-01-20 15:43:16 +00:00 · 2017-03-20 22:20:17 +00:00 · 2017-03-20 22:20:17 +00:00 · c1e968fb62 · 2020-12-20 02:59:44 +00:00
commit c1e968fb62
parent 98339da12a
3 changed files with 24 additions and 5 deletions
--- a/lib/libstand/bootp.c
+++ b/lib/libstand/bootp.c
@ -39,6 +39,7 @@
 __FBSDID("$FreeBSD$");

 #include <sys/types.h>
+#include <sys/limits.h>
 #include <sys/endian.h>
 #include <netinet/in.h>
 #include <netinet/in_systm.h>
@ -403,11 +404,29 @@ vend_rfc1048(cp, len)
 			strlcpy(hostname, val, sizeof(hostname));
 		}
 		if (tag == TAG_INTF_MTU) {
+			intf_mtu = 0;
 			if ((val = getenv("dhcp.interface-mtu")) != NULL) {
-				intf_mtu = (u_int)strtoul(val, NULL, 0);
-			} else {
-				intf_mtu = be16dec(cp);
+				unsigned long tmp;
+				char *end;
+
+				errno = 0;
+				/*
+				 * Do not allow MTU to exceed max IPv4 packet
+				 * size, max value of 16-bit word.
+				 */
+				tmp = strtoul(val, &end, 0);
+				if (errno != 0 ||
+				    *val == '\0' || *end != '\0' ||
+				    tmp > USHRT_MAX) {
+					printf("%s: bad value: \"%s\", "
+					    "ignoring\n",
+					    "dhcp.interface-mtu", val);
+				} else {
+					intf_mtu = (u_int)tmp;
+				}
 			}
+			if (intf_mtu <= 0)
+				intf_mtu = be16dec(cp);
 		}
 #ifdef SUPPORT_DHCP
 		if (tag == TAG_DHCP_MSGTYPE) {
--- a/sys/boot/common/dev_net.c
+++ b/sys/boot/common/dev_net.c
@ -175,7 +175,7 @@ net_open(struct open_file *f, ...)
 		}
 		if (intf_mtu != 0) {
 			char mtu[16];
-			sprintf(mtu, "%u", intf_mtu);
+			snprintf(mtu, sizeof(mtu), "%u", intf_mtu);
 			setenv("boot.netif.mtu", mtu, 1);
 		}

--- a/sys/boot/i386/libi386/pxe.c
+++ b/sys/boot/i386/libi386/pxe.c
@ -342,7 +342,7 @@ pxe_open(struct open_file *f, ...)
 			}
 			if (intf_mtu != 0) {
 				char mtu[16];
-				sprintf(mtu, "%u", intf_mtu);
+				snprintf(sizeof(mtu), mtu, "%u", intf_mtu);
 				setenv("boot.netif.mtu", mtu, 1);
 			}
 			printf("pxe_open: server addr: %s\n", inet_ntoa(rootip));