udhcpd: mangle hostnames starting with dash ("-option")

author Denys Vlasenko <vda.linux@googlemail.com>

Tue, 14 Jan 2020 16:05:48 +0000 (17:05 +0100)

committer Denys Vlasenko <vda.linux@googlemail.com>

Tue, 14 Jan 2020 16:07:18 +0000 (17:07 +0100)
author Denys Vlasenko <vda.linux@googlemail.com>
Tue, 14 Jan 2020 16:05:48 +0000 (17:05 +0100)
committer Denys Vlasenko <vda.linux@googlemail.com>
Tue, 14 Jan 2020 16:07:18 +0000 (17:07 +0100)
diff --git a/networking/udhcp/dhcpd.c b/networking/udhcp/dhcpd.c

index 3e08ec01188057d97bb7b2997ae0451c167b21c3..9d6604943e180fc5353ada2703031eeec1294e1b 100644 (file)
--- a/networking/udhcp/dhcpd.c
+++ b/networking/udhcp/dhcpd.c
@@ -192,6 +192,8 @@ static struct dyn_lease *add_lease(
                          * but merely make dumpleases output safe for shells to use.
                          * We accept "0-9A-Za-z._-", all other chars turn to dots.
                          */
+                       if (*p == '-')
+                               *p = '.'; /* defeat "-option" attacks too */
                         while (*p) {
                                 if (!isalnum(*p) && *p != '-' && *p != '_')
                                         *p = '.';
author	Denys Vlasenko <vda.linux@googlemail.com>
	Tue, 14 Jan 2020 16:05:48 +0000 (17:05 +0100)
committer	Denys Vlasenko <vda.linux@googlemail.com>
	Tue, 14 Jan 2020 16:07:18 +0000 (17:07 +0100)