Synopsis: ISC dhclient subnet-mask flag stack overflow

Synopsis: ISC dhclient subnet-mask flag stack overflow
NetBSD versions: 5.0, 4.0.1, 4.0
Thanks to: Mandriva Linux Engineering Team, Christos Zoulas
Reported in NetBSD Security Advisory: NetBSD-SA2009-010

Index: dhclient.c
diff -u dhclient.c:1.19 dhclient.c:1.20
--- dhclient.c:1.19 Tue Feb 26 05:03:29 2008
+++ dhclient.c Tue Jun 23 19:50:50 2009
@@ -2520,6 +2520,8 @@
if (data.len > 3) {
struct iaddr netmask, subnet, broadcast;

+ if (data.len > sizeof netmask.iabuf)
+ data.len = sizeof netmask.iabuf;
memcpy (netmask.iabuf, data.data, data.len);
netmask.len = data.len;
data_string_forget (&data, MDL);