bootp: Improve allocation handling in parse_dhcp6_option

This adjusts Debian's net_bootp6 patch to perform safe allocation.  (In
practice this isn't a security problem because `ln` is 16 bits so it
can't overflow after promotion to 32 bits.)

Signed-off-by: Colin Watson <cjwatson@debian.org>
Patch-Name: bootp-alloc.patch

diff --git a/grub-core/net/bootp.c b/grub-core/net/bootp.c
index dd0ffcdaea0275925f5c85f013dd63c73962253c..efa92b89b022281ae63533f191fdd03adf046ce3 100644 (file)
--- a/grub-core/net/bootp.c
+++ b/grub-core/net/bootp.c
@@ -857,7 +857,7 @@ parse_dhcp6_option (const struct grub_net_dhcp6_option *opt, void *data)
              break;
            }
          dhcp6->num_dns_server = ln = len >> 4;
-         dhcp6->dns_server_addrs = la = grub_zalloc (ln * sizeof (*la));
+         dhcp6->dns_server_addrs = la = grub_calloc (ln, sizeof (*la));
 
          for (po = opt->data; ln > 0; po += 0x10, la++, ln--)
            {