Synopsis: ISC dhclient subnet-mask flag stack overflow
NetBSD versions: 5.0, 4.0.1, 4.0
Thanks to: Mandriva Linux Engineering Team, Christos Zoulas
Reported in NetBSD Security Advisory: NetBSD-SA2009-010

Index: dhclient.c
diff -u dhclient.c:1.19 dhclient.c:1.20
--- dhclient.c:1.19	Tue Feb 26 05:03:29 2008
+++ dhclient.c	Tue Jun 23 19:50:50 2009
@@ -2520,6 +2520,8 @@
 		if (data.len > 3) {
 			struct iaddr netmask, subnet, broadcast;
 
+			if (data.len > sizeof netmask.iabuf)
+			    data.len = sizeof netmask.iabuf;
 			memcpy (netmask.iabuf, data.data, data.len);
 			netmask.len = data.len;
 			data_string_forget (&data, MDL);