[dhcp] Copy exactly the required length when resizing DHCP options

When resizing DHCP options, iPXE currently calculates the length to be copied by subtracting the destination pointer from the end of buffer pointer. This works and guarantees not to write beyond the end of the buffer, but may end up reading beyond the end of the buffer. Fix by calculating the required length exactly. Signed-off-by: Michael Brown <mcb30@ipxe.org>
ipxe · Feb 26, 2014 · ced4f8d · ced4f8d
1 parent ff341c1
commit ced4f8d
Showing 1 changed file with 1 addition and 3 deletions.
diff --git a/src/net/dhcpopts.c b/src/net/dhcpopts.c
@@ -202,7 +202,6 @@ static int resize_dhcp_option ( struct dhcp_options *options,
 	size_t new_encapsulator_len;
 	void *source;
 	void *dest;
-	void *end;
 	int rc;
 
 	/* Check for sufficient space */
@@ -245,8 +244,7 @@ static int resize_dhcp_option ( struct dhcp_options *options,
 	option = dhcp_option ( options, offset );
 	source = ( ( ( void * ) option ) + old_len );
 	dest = ( ( ( void * ) option ) + new_len );
-	end = ( options->data + options->alloc_len );
-	memmove ( dest, source, ( end - dest ) );
+	memmove ( dest, source, ( new_used_len - offset - new_len ) );
 
 	/* Shrink options block, if applicable */
 	if ( new_used_len < options->alloc_len ) {