]>
Commit | Line | Data |
---|---|---|
5cbcd514 SS |
1 | commit 8d7970b8f3db727fe798b65f3377fe6787575426 |
2 | Author: Paul Mackerras <paulus@ozlabs.org> | |
3 | Date: Mon Feb 3 15:53:28 2020 +1100 | |
4 | ||
5 | pppd: Fix bounds check in EAP code | |
6 | ||
7 | Given that we have just checked vallen < len, it can never be the case | |
8 | that vallen >= len + sizeof(rhostname). This fixes the check so we | |
9 | actually avoid overflowing the rhostname array. | |
10 | ||
11 | Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> | |
12 | Signed-off-by: Paul Mackerras <paulus@ozlabs.org> | |
13 | ||
14 | diff --git a/pppd/eap.c b/pppd/eap.c | |
15 | index 94407f5..1b93db0 100644 | |
16 | --- a/pppd/eap.c | |
17 | +++ b/pppd/eap.c | |
18 | @@ -1420,7 +1420,7 @@ int len; | |
19 | } | |
20 | ||
21 | /* Not so likely to happen. */ | |
22 | - if (vallen >= len + sizeof (rhostname)) { | |
23 | + if (len - vallen >= sizeof (rhostname)) { | |
24 | dbglog("EAP: trimming really long peer name down"); | |
25 | BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1); | |
26 | rhostname[sizeof (rhostname) - 1] = '\0'; | |
27 | @@ -1846,7 +1846,7 @@ int len; | |
28 | } | |
29 | ||
30 | /* Not so likely to happen. */ | |
31 | - if (vallen >= len + sizeof (rhostname)) { | |
32 | + if (len - vallen >= sizeof (rhostname)) { | |
33 | dbglog("EAP: trimming really long peer name down"); | |
34 | BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1); | |
35 | rhostname[sizeof (rhostname) - 1] = '\0'; |