1 /* $OpenBSD: options.c,v 1.15 2004/12/26 03:17:07 deraadt Exp $ */
3 /* DHCP options parsing and reassembly. */
6 * SPDX-License-Identifier: BSD-3-Clause
8 * Copyright (c) 1995, 1996, 1997, 1998 The Internet Software Consortium.
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions
15 * 1. Redistributions of source code must retain the above copyright
16 * notice, this list of conditions and the following disclaimer.
17 * 2. Redistributions in binary form must reproduce the above copyright
18 * notice, this list of conditions and the following disclaimer in the
19 * documentation and/or other materials provided with the distribution.
20 * 3. Neither the name of The Internet Software Consortium nor the names
21 * of its contributors may be used to endorse or promote products derived
22 * from this software without specific prior written permission.
24 * THIS SOFTWARE IS PROVIDED BY THE INTERNET SOFTWARE CONSORTIUM AND
25 * CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
26 * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
27 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
28 * DISCLAIMED. IN NO EVENT SHALL THE INTERNET SOFTWARE CONSORTIUM OR
29 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
30 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
31 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
32 * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
33 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
34 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
35 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
38 * This software has been written for the Internet Software Consortium
39 * by Ted Lemon <mellon@fugue.com> in cooperation with Vixie
40 * Enterprises. To learn more about the Internet Software Consortium,
41 * see ``http://www.vix.com/isc''. To learn more about Vixie
42 * Enterprises, see ``http://www.vix.com''.
45 #include <sys/cdefs.h>
46 __FBSDID("$FreeBSD$");
50 #define DHCP_OPTION_DATA
54 int bad_options_max = 5;
56 void parse_options(struct packet *);
57 void parse_option_buffer(struct packet *, unsigned char *, int);
58 int store_options(unsigned char *, int, struct tree_cache **,
59 unsigned char *, int, int, int, int);
60 void expand_domain_search(struct packet *packet);
61 int find_search_domain_name_len(struct option_data *option, int *offset);
62 void expand_search_domain_name(struct option_data *option, int *offset,
63 unsigned char **domain_search);
67 * Parse all available options out of the specified packet.
70 parse_options(struct packet *packet)
72 /* Initially, zero all option pointers. */
73 memset(packet->options, 0, sizeof(packet->options));
75 /* If we don't see the magic cookie, there's nothing to parse. */
76 if (memcmp(packet->raw->options, DHCP_OPTIONS_COOKIE, 4)) {
77 packet->options_valid = 0;
82 * Go through the options field, up to the end of the packet or
85 parse_option_buffer(packet, &packet->raw->options[4],
86 packet->packet_length - DHCP_FIXED_NON_UDP - 4);
89 * If we parsed a DHCP Option Overload option, parse more
90 * options out of the buffer(s) containing them.
92 if (packet->options_valid &&
93 packet->options[DHO_DHCP_OPTION_OVERLOAD].data) {
94 if (packet->options[DHO_DHCP_OPTION_OVERLOAD].data[0] & 1)
95 parse_option_buffer(packet,
96 (unsigned char *)packet->raw->file,
97 sizeof(packet->raw->file));
98 if (packet->options[DHO_DHCP_OPTION_OVERLOAD].data[0] & 2)
99 parse_option_buffer(packet,
100 (unsigned char *)packet->raw->sname,
101 sizeof(packet->raw->sname));
104 /* Expand DHCP Domain Search option. */
105 if (packet->options_valid) {
106 expand_domain_search(packet);
111 * Parse options out of the specified buffer, storing addresses of
112 * option values in packet->options and setting packet->options_valid if
113 * no errors are encountered.
116 parse_option_buffer(struct packet *packet,
117 unsigned char *buffer, int length)
119 unsigned char *s, *t, *end = buffer + length;
122 for (s = buffer; *s != DHO_END && s < end; ) {
125 /* Pad options don't have a length - just skip them. */
126 if (code == DHO_PAD) {
136 * All other fields (except end, see above) have a
142 * If the length is outrageous, silently skip the rest,
143 * and mark the packet bad. Unfortunately some crappy
144 * dhcp servers always seem to give us garbage on the
145 * end of a packet. so rather than keep refusing, give
146 * up and try to take one after seeing a few without
149 if (s + len + 2 > end) {
152 warning("option %s (%d) %s.",
153 dhcp_options[code].name, len,
154 "larger than buffer");
155 if (bad_options == bad_options_max) {
156 packet->options_valid = 1;
158 warning("Many bogus options seen in offers. "
159 "Taking this offer in spite of bogus "
160 "options - hope for the best!");
162 warning("rejecting bogus offer.");
163 packet->options_valid = 0;
168 * If we haven't seen this option before, just make
169 * space for it and copy it there.
171 if (!packet->options[code].data) {
172 if (!(t = calloc(1, len + 1)))
173 error("Can't allocate storage for option %s.",
174 dhcp_options[code].name);
176 * Copy and NUL-terminate the option (in case
177 * it's an ASCII string.
179 memcpy(t, &s[2], len);
181 packet->options[code].len = len;
182 packet->options[code].data = t;
185 * If it's a repeat, concatenate it to whatever
186 * we last saw. This is really only required
187 * for clients, but what the heck...
189 t = calloc(1, len + packet->options[code].len + 1);
191 error("Can't expand storage for option %s.",
192 dhcp_options[code].name);
193 memcpy(t, packet->options[code].data,
194 packet->options[code].len);
195 memcpy(t + packet->options[code].len,
197 packet->options[code].len += len;
198 t[packet->options[code].len] = 0;
199 free(packet->options[code].data);
200 packet->options[code].data = t;
204 packet->options_valid = 1;
208 * Expand DHCP Domain Search option. The value of this option is
209 * encoded like DNS' list of labels. See:
214 expand_domain_search(struct packet *packet)
216 int offset, expanded_len, next_domain_len;
217 struct option_data *option;
218 unsigned char *domain_search, *cursor;
220 if (packet->options[DHO_DOMAIN_SEARCH].data == NULL)
223 option = &packet->options[DHO_DOMAIN_SEARCH];
225 /* Compute final expanded length. */
228 while (offset < option->len) {
229 next_domain_len = find_search_domain_name_len(option, &offset);
230 if (next_domain_len < 0)
231 /* The Domain Search option value is invalid. */
234 /* We add 1 for the space between domain names. */
235 expanded_len += next_domain_len + 1;
237 if (expanded_len > 0)
238 /* Remove 1 for the superfluous trailing space. */
241 domain_search = malloc(expanded_len + 1);
242 if (domain_search == NULL)
243 error("Can't allocate storage for expanded domain-search\n");
246 cursor = domain_search;
247 while (offset < option->len) {
248 expand_search_domain_name(option, &offset, &cursor);
252 domain_search[expanded_len] = '\0';
255 option->len = expanded_len;
256 option->data = domain_search;
260 find_search_domain_name_len(struct option_data *option, int *offset)
262 int domain_name_len, i, label_len, pointer, pointed_len;
267 while (i < option->len) {
268 label_len = option->data[i];
269 if (label_len == 0) {
271 * A zero-length label marks the end of this
275 return (domain_name_len);
276 } else if (label_len & 0xC0) {
277 /* This is a pointer to another list of labels. */
278 if (i + 1 >= option->len) {
279 /* The pointer is truncated. */
280 warning("Truncated pointer in DHCP Domain "
285 pointer = ((label_len & ~(0xC0)) << 8) +
287 if (pointer >= *offset) {
289 * The pointer must indicate a prior
292 warning("Invalid forward pointer in DHCP "
293 "Domain Search option compression.");
297 pointed_len = find_search_domain_name_len(option,
299 domain_name_len += pointed_len;
302 return (domain_name_len);
305 if (i + label_len >= option->len) {
306 warning("Truncated label in DHCP Domain Search "
312 * Update the domain name length with the length of the
313 * current label, plus a trailing dot ('.').
315 domain_name_len += label_len + 1;
321 warning("Truncated DHCP Domain Search option.");
327 expand_search_domain_name(struct option_data *option, int *offset,
328 unsigned char **domain_search)
330 int i, label_len, pointer;
331 unsigned char *cursor;
334 * This is the same loop than the function above
335 * (find_search_domain_name_len). Therefore, we remove checks,
336 * they're already done. Here, we just make the copy.
339 cursor = *domain_search;
340 while (i < option->len) {
341 label_len = option->data[i];
342 if (label_len == 0) {
344 * A zero-length label marks the end of this
348 *domain_search = cursor;
350 } else if (label_len & 0xC0) {
351 /* This is a pointer to another list of labels. */
352 pointer = ((label_len & ~(0xC0)) << 8) +
355 expand_search_domain_name(option, &pointer, &cursor);
358 *domain_search = cursor;
362 /* Copy the label found. */
363 memcpy(cursor, option->data + i + 1, label_len);
364 cursor[label_len] = '.';
368 cursor += label_len + 1;
373 * cons options into a big buffer, and then split them out into the
374 * three separate buffers if needed. This allows us to cons up a set of
375 * vendor options using the same routine.
378 cons_options(struct packet *inpacket, struct dhcp_packet *outpacket,
379 int mms, struct tree_cache **options,
380 int overload, /* Overload flags that may be set. */
381 int terminate, int bootpp, u_int8_t *prl, int prl_len)
383 unsigned char priority_list[300], buffer[4096];
384 int priority_len, main_buffer_size, mainbufix, bufix;
385 int option_size, length;
388 * If the client has provided a maximum DHCP message size, use
389 * that; otherwise, if it's BOOTP, only 64 bytes; otherwise use
390 * up to the minimum IP MTU size (576 bytes).
392 * XXX if a BOOTP client specifies a max message size, we will
397 inpacket->options[DHO_DHCP_MAX_MESSAGE_SIZE].data &&
398 (inpacket->options[DHO_DHCP_MAX_MESSAGE_SIZE].len >=
401 inpacket->options[DHO_DHCP_MAX_MESSAGE_SIZE].data);
404 main_buffer_size = mms - DHCP_FIXED_LEN;
406 main_buffer_size = 64;
408 main_buffer_size = 576 - DHCP_FIXED_LEN;
410 if (main_buffer_size > sizeof(buffer))
411 main_buffer_size = sizeof(buffer);
413 /* Preload the option priority list with mandatory options. */
415 priority_list[priority_len++] = DHO_DHCP_MESSAGE_TYPE;
416 priority_list[priority_len++] = DHO_DHCP_SERVER_IDENTIFIER;
417 priority_list[priority_len++] = DHO_DHCP_LEASE_TIME;
418 priority_list[priority_len++] = DHO_DHCP_MESSAGE;
421 * If the client has provided a list of options that it wishes
422 * returned, use it to prioritize. Otherwise, prioritize based
423 * on the default priority list.
426 inpacket->options[DHO_DHCP_PARAMETER_REQUEST_LIST].data) {
428 inpacket->options[DHO_DHCP_PARAMETER_REQUEST_LIST].len;
429 if (prlen + priority_len > sizeof(priority_list))
430 prlen = sizeof(priority_list) - priority_len;
432 memcpy(&priority_list[priority_len],
433 inpacket->options[DHO_DHCP_PARAMETER_REQUEST_LIST].data,
435 priority_len += prlen;
438 if (prl_len + priority_len > sizeof(priority_list))
439 prl_len = sizeof(priority_list) - priority_len;
441 memcpy(&priority_list[priority_len], prl, prl_len);
442 priority_len += prl_len;
445 memcpy(&priority_list[priority_len],
446 dhcp_option_default_priority_list,
447 sizeof_dhcp_option_default_priority_list);
448 priority_len += sizeof_dhcp_option_default_priority_list;
451 /* Copy the options into the big buffer... */
452 option_size = store_options(
454 (main_buffer_size - 7 + ((overload & 1) ? DHCP_FILE_LEN : 0) +
455 ((overload & 2) ? DHCP_SNAME_LEN : 0)),
456 options, priority_list, priority_len, main_buffer_size,
457 (main_buffer_size + ((overload & 1) ? DHCP_FILE_LEN : 0)),
460 /* Put the cookie up front... */
461 memcpy(outpacket->options, DHCP_OPTIONS_COOKIE, 4);
465 * If we're going to have to overload, store the overload option
466 * at the beginning. If we can, though, just store the whole
467 * thing in the packet's option buffer and leave it at that.
469 if (option_size <= main_buffer_size - mainbufix) {
470 memcpy(&outpacket->options[mainbufix],
471 buffer, option_size);
472 mainbufix += option_size;
473 if (mainbufix < main_buffer_size)
474 outpacket->options[mainbufix++] = DHO_END;
475 length = DHCP_FIXED_NON_UDP + mainbufix;
477 outpacket->options[mainbufix++] = DHO_DHCP_OPTION_OVERLOAD;
478 outpacket->options[mainbufix++] = 1;
480 main_buffer_size - mainbufix + DHCP_FILE_LEN)
481 outpacket->options[mainbufix++] = 3;
483 outpacket->options[mainbufix++] = 1;
485 memcpy(&outpacket->options[mainbufix],
486 buffer, main_buffer_size - mainbufix);
487 bufix = main_buffer_size - mainbufix;
488 length = DHCP_FIXED_NON_UDP + mainbufix;
490 if (option_size - bufix <= DHCP_FILE_LEN) {
491 memcpy(outpacket->file,
492 &buffer[bufix], option_size - bufix);
493 mainbufix = option_size - bufix;
494 if (mainbufix < DHCP_FILE_LEN)
495 outpacket->file[mainbufix++] = (char)DHO_END;
496 while (mainbufix < DHCP_FILE_LEN)
497 outpacket->file[mainbufix++] = (char)DHO_PAD;
499 memcpy(outpacket->file,
500 &buffer[bufix], DHCP_FILE_LEN);
501 bufix += DHCP_FILE_LEN;
504 if ((overload & 2) && option_size < bufix) {
505 memcpy(outpacket->sname,
506 &buffer[bufix], option_size - bufix);
508 mainbufix = option_size - bufix;
509 if (mainbufix < DHCP_SNAME_LEN)
510 outpacket->file[mainbufix++] = (char)DHO_END;
511 while (mainbufix < DHCP_SNAME_LEN)
512 outpacket->file[mainbufix++] = (char)DHO_PAD;
519 * Store all the requested options into the requested buffer.
522 store_options(unsigned char *buffer, int buflen, struct tree_cache **options,
523 unsigned char *priority_list, int priority_len, int first_cutoff,
524 int second_cutoff, int terminate)
526 int bufix = 0, option_stored[256], i, ix, tto;
528 /* Zero out the stored-lengths array. */
529 memset(option_stored, 0, sizeof(option_stored));
532 * Copy out the options in the order that they appear in the
535 for (i = 0; i < priority_len; i++) {
536 /* Code for next option to try to store. */
537 int code = priority_list[i];
541 * Number of bytes left to store (some may already have
542 * been stored by a previous pass).
546 /* If no data is available for this option, skip it. */
547 if (!options[code]) {
552 * The client could ask for things that are mandatory,
553 * in which case we should avoid storing them twice...
555 if (option_stored[code])
557 option_stored[code] = 1;
559 /* We should now have a constant length for the option. */
560 length = options[code]->len;
562 /* Do we add a NUL? */
563 if (terminate && dhcp_options[code].format[0] == 't') {
569 /* Try to store the option. */
572 * If the option's length is more than 255, we must
573 * store it in multiple hunks. Store 255-byte hunks
574 * first. However, in any case, if the option data will
575 * cross a buffer boundary, split it across that
582 unsigned char incr = length > 255 ? 255 : length;
585 * If this hunk of the buffer will cross a
586 * boundary, only go up to the boundary in this
589 if (bufix < first_cutoff &&
590 bufix + incr > first_cutoff)
591 incr = first_cutoff - bufix;
592 else if (bufix < second_cutoff &&
593 bufix + incr > second_cutoff)
594 incr = second_cutoff - bufix;
597 * If this option is going to overflow the
600 if (bufix + 2 + incr > buflen) {
605 /* Everything looks good - copy it in! */
606 buffer[bufix] = code;
607 buffer[bufix + 1] = incr;
608 if (tto && incr == length) {
609 memcpy(buffer + bufix + 2,
610 options[code]->value + ix, incr - 1);
611 buffer[bufix + 2 + incr - 1] = 0;
613 memcpy(buffer + bufix + 2,
614 options[code]->value + ix, incr);
624 * Format the specified option so that a human can easily read it.
627 pretty_print_option(unsigned int code, unsigned char *data, int len,
628 int emit_commas, int emit_quotes)
630 static char optbuf[32768]; /* XXX */
631 int hunksize = 0, numhunk = -1, numelem = 0;
632 char fmtbuf[32], *op = optbuf;
633 int i, j, k, opleft = sizeof(optbuf);
634 unsigned char *dp = data;
638 /* Code should be between 0 and 255. */
640 error("pretty_print_option: bad code %d", code);
647 /* Figure out the size of the data. */
648 for (i = 0; dhcp_options[code].format[i]; i++) {
650 warning("%s: Excess information in format string: %s",
651 dhcp_options[code].name,
652 &(dhcp_options[code].format[i]));
656 fmtbuf[i] = dhcp_options[code].format[i];
657 switch (dhcp_options[code].format[i]) {
664 for (k = 0; k < len; k++)
665 if (!isascii(data[k]) ||
701 warning("%s: garbage in format string: %s",
702 dhcp_options[code].name,
703 &(dhcp_options[code].format[i]));
708 /* Check for too few bytes... */
709 if (hunksize > len) {
710 warning("%s: expecting at least %d bytes; got %d",
711 dhcp_options[code].name, hunksize, len);
714 /* Check for too many bytes... */
715 if (numhunk == -1 && hunksize < len)
716 warning("%s: %d extra bytes",
717 dhcp_options[code].name, len - hunksize);
719 /* If this is an array, compute its size. */
721 numhunk = len / hunksize;
722 /* See if we got an exact number of hunks. */
723 if (numhunk > 0 && numhunk * hunksize < len)
724 warning("%s: %d extra bytes at end of array",
725 dhcp_options[code].name, len - numhunk * hunksize);
727 /* A one-hunk array prints the same as a single hunk. */
731 /* Cycle through the array (or hunk) printing the data. */
732 for (i = 0; i < numhunk; i++) {
733 for (j = 0; j < numelem; j++) {
741 for (; dp < data + len; dp++) {
744 if (dp + 1 != data + len ||
751 } else if (*dp == '"' ||
772 foo.s_addr = htonl(getULong(dp));
773 opcount = strlcpy(op, inet_ntoa(foo), opleft);
774 if (opcount >= opleft)
780 opcount = snprintf(op, opleft, "%ld",
782 if (opcount >= opleft || opcount == -1)
788 opcount = snprintf(op, opleft, "%lu",
789 (unsigned long)getULong(dp));
790 if (opcount >= opleft || opcount == -1)
796 opcount = snprintf(op, opleft, "%d",
798 if (opcount >= opleft || opcount == -1)
804 opcount = snprintf(op, opleft, "%u",
806 if (opcount >= opleft || opcount == -1)
812 opcount = snprintf(op, opleft, "%d",
814 if (opcount >= opleft || opcount == -1)
819 opcount = snprintf(op, opleft, "%d", *dp++);
820 if (opcount >= opleft || opcount == -1)
825 opcount = snprintf(op, opleft, "%x", *dp++);
826 if (opcount >= opleft || opcount == -1)
831 opcount = strlcpy(op,
832 *dp++ ? "true" : "false", opleft);
833 if (opcount >= opleft)
838 warning("Unexpected format code %c", fmtbuf[j]);
841 opleft -= strlen(op);
844 if (j + 1 < numelem && comma != ':') {
849 if (i + 1 < numhunk) {
859 warning("dhcp option too large");
864 do_packet(struct interface_info *interface, struct dhcp_packet *packet,
865 int len, unsigned int from_port, struct iaddr from, struct hardware *hfrom)
870 if (packet->hlen > sizeof(packet->chaddr)) {
871 note("Discarding packet with invalid hlen.");
875 memset(&tp, 0, sizeof(tp));
877 tp.packet_length = len;
878 tp.client_port = from_port;
879 tp.client_addr = from;
880 tp.interface = interface;
884 if (tp.options_valid &&
885 tp.options[DHO_DHCP_MESSAGE_TYPE].data)
886 tp.packet_type = tp.options[DHO_DHCP_MESSAGE_TYPE].data[0];
892 /* Free the data associated with the options. */
893 for (i = 0; i < 256; i++)
894 if (tp.options[i].len && tp.options[i].data)
895 free(tp.options[i].data);