[git commit] udhcpd: mangle hostnames starting with dash ("-option")
Denys Vlasenko
vda.linux at googlemail.com
Tue Jan 14 16:07:18 UTC 2020
commit: https://git.busybox.net/busybox/commit/?id=020abc8856f94d6e355f4daa972ac75fb05ae113
branch: https://git.busybox.net/busybox/commit/?id=refs/heads/master
function old new delta
add_lease 316 328 +12
Signed-off-by: Denys Vlasenko <vda.linux at googlemail.com>
---
networking/udhcp/dhcpd.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/networking/udhcp/dhcpd.c b/networking/udhcp/dhcpd.c
index 3e08ec011..9d6604943 100644
--- a/networking/udhcp/dhcpd.c
+++ b/networking/udhcp/dhcpd.c
@@ -192,6 +192,8 @@ static struct dyn_lease *add_lease(
* but merely make dumpleases output safe for shells to use.
* We accept "0-9A-Za-z._-", all other chars turn to dots.
*/
+ if (*p == '-')
+ *p = '.'; /* defeat "-option" attacks too */
while (*p) {
if (!isalnum(*p) && *p != '-' && *p != '_')
*p = '.';
More information about the busybox-cvs
mailing list