stack overflow in pdhcp d6ed167c2b94b925cb03fff379886fcb51bf8f86

[hac425xxx]

https://github.com/pyke369/pdhcp/tree/d6ed167c2b94b925cb03fff379886fcb51bf8f86

栈溢出 首先在 service_handler 从网络中接收数据， packet 为 512 字节，然后会传入 dhcp_decode 进行dhcp解码

// service handler
void service_handler(struct ev_loop *loop, struct ev_io *watcher, int events)
{

    uint8_t            packet[BUFSIZ];
    char               output[BUFSIZ], message[256];
    gettimeofday(&now, NULL);
    ssize = sizeof(frame->remote);
    frame = (DHCP_FRAME *)packet;
    if ((size = recvfrom(service, packet, sizeof(packet), 0, (struct sockaddr *)&frame->remote, &ssize)) > 0)
    {
            if (dhcp_decode(frame, size, output, sizeof(output), message, sizeof(message)))
            {

dhcp_decode 函数中将 packet 当作 DHCP_FRAME 结构体处理，但是DHCP_FRAME 的大小远远大于BUFSIZ, 导致在该函数中会越界写

bool dhcp_decode(DHCP_FRAME *frame, ssize_t frame_size, char *output, ssize_t output_size, char *error, size_t error_size)
{

    output[strlen(output) - 1] = '}';
    memcpy(frame->key, frame->chaddr, ETH_ALEN);  // 直接修改frame+0x901 
    memcpy(frame->key + ETH_ALEN, (uint8_t *)&(frame->xid), 4); // 修改 frame + 0x907
    frame->key[10] = frame->dhcp_type;
    frame->expire  = time(NULL) + 10;
    return true;
}

[pyke369]

The PDHCP software was migrated to Golang 2 years+ ago, I'll close this issue.