fix: the dhcp server copies the hardware address (ch... in...

[orbisai0security]

Summary

Fix critical severity security issue in components/net/lwip-dhcpd/dhcp_server_raw.c.

Vulnerability

Field	Value
ID	V-001
Severity	CRITICAL
Scanner	multi_agent_ai
Rule	V-001
File	components/net/lwip-dhcpd/dhcp_server_raw.c:269

Description: The DHCP server copies the hardware address (chaddr) from an incoming DHCP packet into a fixed-size destination buffer using the length field (hlen) directly from the attacker-controlled packet, without first verifying that hlen does not exceed the destination buffer size. An attacker can set hlen to 255 (maximum byte value) while the destination buffer is sized for 16 bytes (maximum Ethernet hardware address per RFC 2131), causing up to 239 bytes of heap overflow that corrupts adjacent memory structures.

Changes

• components/net/lwip-dhcpd/dhcp_server_raw.c

Verification

• Build passes
• Scanner re-scan confirms fix
• LLM code review passed

---

Automated security fix by OrbisAI Security

[github-actions]

👋 感谢您对 RT-Thread 的贡献！Thank you for your contribution to RT-Thread!

为确保代码符合 RT-Thread 的编码规范，请在你的仓库中执行以下步骤运行代码格式化工作流（如果格式化CI运行失败）。
To ensure your code complies with RT-Thread's coding style, please run the code formatting workflow by following the steps below (If the formatting of CI fails to run).

---

🛠 操作步骤 | Steps

1. 前往 Actions 页面 | Go to the Actions page
   点击进入工作流 → | Click to open workflow →

2. 点击 Run workflow | Click Run workflow

• 设置需排除的文件/目录（目录请以"/"结尾）
  Set files/directories to exclude (directories should end with "/")
• 将目标分支设置为 \ Set the target branch to：fix-dhcp-server-chaddr-heap-overflow
• 设置PR number为 \ Set the PR number to：11372

3. 等待工作流完成 | Wait for the workflow to complete
   格式化后的代码将自动推送至你的分支。
   The formatted code will be automatically pushed to your branch.

完成后，提交将自动更新至 fix-dhcp-server-chaddr-heap-overflow 分支，关联的 Pull Request 也会同步更新。
Once completed, commits will be pushed to the fix-dhcp-server-chaddr-heap-overflow branch automatically, and the related Pull Request will be updated.

如有问题欢迎联系我们，再次感谢您的贡献！💐
If you have any questions, feel free to reach out. Thanks again for your contribution!

[CLAassistant]

All committers have signed the CLA.

[github-actions]

📌 Code Review Assignment

🏷️ Tag: components

Reviewers: @Maihuanyi

Changed Files (Click to expand)

• components/net/lwip-dhcpd/dhcp_server_raw.c

---

📊 Current Review Status (Last Updated: 2026-05-07 13:38 CST)

• ⌛ @Maihuanyi Pending Review

---

📝 Review Instructions

1. 维护者可以通过单击此处来刷新审查状态: 🔄 刷新状态
   Maintainers can refresh the review status by clicking here: 🔄 Refresh Status

2. 确认审核通过后评论 LGTM/lgtm
   Comment LGTM/lgtm after confirming approval

3. PR合并前需至少一位维护者确认
   PR must be confirmed by at least one maintainer before merging

ℹ️ 刷新CI状态操作需要具备仓库写入权限。
ℹ️ Refresh CI status operation requires repository Write permission.