fix: V-001 security vulnerability

orbisai0security · orbisai0security · commit 56ccc4e79e9f · 2026-05-07T05:37:15.000Z
Automated security fix generated by Orbis Security AI
diff --git a/components/net/lwip-dhcpd/dhcp_server_raw.c b/components/net/lwip-dhcpd/dhcp_server_raw.c
@@ -266,7 +266,7 @@ dhcp_client_alloc(struct dhcp_server *dhcpserver, struct dhcp_msg *msg,
     {
         return NULL;
     }
-    SMEMCPY(node->chaddr, msg->chaddr, msg->hlen);
+    SMEMCPY(node->chaddr, msg->chaddr, (msg->hlen > sizeof(node->chaddr)) ? sizeof(node->chaddr) : msg->hlen);
     node->ipaddr = dhcpserver->current;
 
     node->next = dhcpserver->node_list;
@@ -731,10 +731,10 @@ void dhcpd_start(const char *netif_name)
         }
         p = p + 1; /* move to xxx.xxx.xxx.^ */
 
-        sprintf(p, "%d", DHCPD_CLIENT_IP_MIN);
+        snprintf(p, (size_t)(str_tmp + sizeof(str_tmp) - p), "%d", DHCPD_CLIENT_IP_MIN);
         ip4addr_aton(str_tmp, &ip_start);
         DEBUG_PRINTF("ip_start: [%s]\r\n", str_tmp);
-        sprintf(p, "%d", DHCPD_CLIENT_IP_MAX);
+        snprintf(p, (size_t)(str_tmp + sizeof(str_tmp) - p), "%d", DHCPD_CLIENT_IP_MAX);
         ip4addr_aton(str_tmp, &ip_end);
         DEBUG_PRINTF("ip_end: [%s]\r\n", str_tmp);
 

Original file line number	Diff line number	Diff line change
`@@ -266,7 +266,7 @@ dhcp_client_alloc(struct dhcp_server dhcpserver, struct dhcp_msg msg,`
`266`	`266`	`{`
`267`	`267`	`return NULL;`
`268`	`268`	`}`
`269`		`- SMEMCPY(node->chaddr, msg->chaddr, msg->hlen);`
	`269`	`+ SMEMCPY(node->chaddr, msg->chaddr, (msg->hlen > sizeof(node->chaddr)) ? sizeof(node->chaddr) : msg->hlen);`
`270`	`270`	`node->ipaddr = dhcpserver->current;`
`271`	`271`
`272`	`272`	`node->next = dhcpserver->node_list;`
`@@ -731,10 +731,10 @@ void dhcpd_start(const char *netif_name)`
`731`	`731`	`}`
`732`	`732`	`p = p + 1; /* move to xxx.xxx.xxx.^ */`
`733`	`733`
`734`		`- sprintf(p, "%d", DHCPD_CLIENT_IP_MIN);`
	`734`	`+ snprintf(p, (size_t)(str_tmp + sizeof(str_tmp) - p), "%d", DHCPD_CLIENT_IP_MIN);`
`735`	`735`	`ip4addr_aton(str_tmp, &ip_start);`
`736`	`736`	`DEBUG_PRINTF("ip_start: [%s]\r\n", str_tmp);`
`737`		`- sprintf(p, "%d", DHCPD_CLIENT_IP_MAX);`
	`737`	`+ snprintf(p, (size_t)(str_tmp + sizeof(str_tmp) - p), "%d", DHCPD_CLIENT_IP_MAX);`
`738`	`738`	`ip4addr_aton(str_tmp, &ip_end);`
`739`	`739`	`DEBUG_PRINTF("ip_end: [%s]\r\n", str_tmp);`
`740`	`740`