[git commit] udhcpd: mangle hostnames starting with dash ("-option")

Denys Vlasenko vda.linux at googlemail.com
Tue Jan 14 16:07:18 UTC 2020


commit: https://git.busybox.net/busybox/commit/?id=020abc8856f94d6e355f4daa972ac75fb05ae113
branch: https://git.busybox.net/busybox/commit/?id=refs/heads/master

function                                             old     new   delta
add_lease                                            316     328     +12

Signed-off-by: Denys Vlasenko <vda.linux at googlemail.com>
---
 networking/udhcp/dhcpd.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/networking/udhcp/dhcpd.c b/networking/udhcp/dhcpd.c
index 3e08ec011..9d6604943 100644
--- a/networking/udhcp/dhcpd.c
+++ b/networking/udhcp/dhcpd.c
@@ -192,6 +192,8 @@ static struct dyn_lease *add_lease(
 			 * but merely make dumpleases output safe for shells to use.
 			 * We accept "0-9A-Za-z._-", all other chars turn to dots.
 			 */
+			if (*p == '-')
+				*p = '.'; /* defeat "-option" attacks too */
 			while (*p) {
 				if (!isalnum(*p) && *p != '-' && *p != '_')
 					*p = '.';


More information about the busybox-cvs mailing list