]>
Commit | Line | Data |
---|---|---|
9d6ebeaf JR |
1 | --- bootp-2.4.3/bootpd.c.old Wed May 13 11:31:49 1998 |
2 | +++ bootp-2.4.3/bootpd.c Wed May 13 11:34:07 1998 | |
3 | @@ -662,6 +662,7 @@ | |
4 | char *clntpath; | |
5 | char *homedir, *bootfile; | |
6 | int n; | |
7 | + int lpos; | |
8 | ||
9 | /* XXX - SLIP init: Set bp_ciaddr = recv_addr here? */ | |
10 | ||
11 | @@ -859,13 +860,20 @@ | |
12 | * The "real" path is as seen by the BOOTP daemon on this | |
13 | * machine, while the client path is relative to the TFTP | |
14 | * daemon chroot directory (i.e. /tftpboot). | |
15 | + * | |
16 | + * The bootfile might not be properly zero terminated. We | |
17 | + * need to play safe - AC | |
18 | */ | |
19 | if (hp->flags.tftpdir) { | |
20 | + lpos=strlen(hp->tftpdir->string); | |
21 | + if(lpos>=sizeof(realpath)-1) | |
22 | + return; | |
23 | strcpy(realpath, hp->tftpdir->string); | |
24 | - clntpath = &realpath[strlen(realpath)]; | |
25 | + clntpath = &realpath[lpos]; | |
26 | } else { | |
27 | realpath[0] = '\0'; | |
28 | clntpath = realpath; | |
29 | + lpos=0; | |
30 | } | |
31 | ||
32 | /* | |
33 | @@ -906,12 +914,18 @@ | |
34 | if (homedir) { | |
35 | if (homedir[0] != '/') | |
36 | strcat(clntpath, "/"); | |
37 | + lpos+=strlen(homedir); | |
38 | + if(lpos>=sizeof(realpath)) | |
39 | + return; | |
40 | strcat(clntpath, homedir); | |
41 | homedir = NULL; | |
42 | } | |
43 | if (bootfile) { | |
44 | if (bootfile[0] != '/') | |
45 | strcat(clntpath, "/"); | |
46 | + lpos+=strlen(bootfile); | |
47 | + if(lpos>=sizeof(realpath)) | |
48 | + return; | |
49 | strcat(clntpath, bootfile); | |
50 | bootfile = NULL; | |
51 | } | |
52 | @@ -920,8 +934,15 @@ | |
53 | * First try to find the file with a ".host" suffix | |
54 | */ | |
55 | n = strlen(clntpath); | |
56 | - strcat(clntpath, "."); | |
57 | - strcat(clntpath, hp->hostname->string); | |
58 | + | |
59 | + /* | |
60 | + * Don't test if it wont fit. | |
61 | + */ | |
62 | + if(n+1+strlen(hp->hostname->string)<sizeof(realpath)) | |
63 | + { | |
64 | + strcat(clntpath, "."); | |
65 | + strcat(clntpath, hp->hostname->string); | |
66 | + } | |
67 | if (chk_access(realpath, &bootsize) < 0) { | |
68 | clntpath[n] = 0; /* Try it without the suffix */ | |
69 | if (chk_access(realpath, &bootsize) < 0) { |