udhcpd: untangle incredibly messy handling of DHCPREQUEST

Also fixes attacks possible via DHCPDECLINE / DHCPRELEASE function old new delta udhcpd_main 1846 1949 +103 send_renew 105 142 +37 send_NAK 61 - -61 send_ACK 180 - -180 ------------------------------------------------------------------------------ (add/remove: 0/2 grow/shrink: 2/0 up/down: 140/-241) Total: -101 bytes Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2010-03-21 06:15:28 +01:00
parent 2e7aa92836
commit c7dc79e71d
9 changed files with 268 additions and 185 deletions
--- a/networking/udhcp/packet.c
+++ b/networking/udhcp/packet.c
@ -21,7 +21,7 @@

 void FAST_FUNC udhcp_init_header(struct dhcp_packet *packet, char type)
 {
-	memset(packet, 0, sizeof(struct dhcp_packet));
+	memset(packet, 0, sizeof(*packet));
 	packet->op = BOOTREQUEST; /* if client to a server */
 	switch (type) {
 	case DHCPOFFER:
@ -29,10 +29,11 @@ void FAST_FUNC udhcp_init_header(struct dhcp_packet *packet, char type)
 	case DHCPNAK:
 		packet->op = BOOTREPLY; /* if server to client */
 	}
-	packet->htype = ETH_10MB;
-	packet->hlen = ETH_10MB_LEN;
+	packet->htype = 1; /* ethernet */
+	packet->hlen = 6;
 	packet->cookie = htonl(DHCP_MAGIC);
-	packet->options[0] = DHCP_END;
+	if (DHCP_END != 0)
+		packet->options[0] = DHCP_END;
 	add_simple_option(packet->options, DHCP_MESSAGE_TYPE, type);
 }

@ -228,6 +229,7 @@ int FAST_FUNC udhcp_send_raw_packet(struct dhcp_packet *dhcp_pkt,
 	msg = "sendto";
 ret_close:
 	close(fd);
+	/* FIXME: and if result >= 0 but != IP_UPD_DHCP_SIZE? */
 	if (result < 0) {
 ret_msg:
 		bb_perror_msg(msg, "PACKET");
@ -280,6 +282,7 @@ int FAST_FUNC udhcp_send_kernel_packet(struct dhcp_packet *dhcp_pkt,
 	msg = "write";
 ret_close:
 	close(fd);
+	/* FIXME: and if result >= 0 but != DHCP_SIZE? */
 	if (result < 0) {
 ret_msg:
 		bb_perror_msg(msg, "UDP");