38 lines
		
	
	
		
			1.3 KiB
		
	
	
	
		
			Diff
		
	
	
	
	
	
			
		
		
	
	
			38 lines
		
	
	
		
			1.3 KiB
		
	
	
	
		
			Diff
		
	
	
	
	
	
| From 8d7970b8f3db727fe798b65f3377fe6787575426 Mon Sep 17 00:00:00 2001
 | |
| From: Paul Mackerras <paulus@ozlabs.org>
 | |
| Date: Mon, 3 Feb 2020 15:53:28 +1100
 | |
| Subject: [PATCH] pppd: Fix bounds check in EAP code
 | |
| 
 | |
| Given that we have just checked vallen < len, it can never be the case
 | |
| that vallen >= len + sizeof(rhostname).  This fixes the check so we
 | |
| actually avoid overflowing the rhostname array.
 | |
| 
 | |
| Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
 | |
| Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
 | |
| ---
 | |
|  pppd/eap.c | 4 ++--
 | |
|  1 file changed, 2 insertions(+), 2 deletions(-)
 | |
| 
 | |
| diff --git a/pppd/eap.c b/pppd/eap.c
 | |
| index 94407f56a336..1b93db01aebd 100644
 | |
| --- a/pppd/eap.c
 | |
| +++ b/pppd/eap.c
 | |
| @@ -1420,7 +1420,7 @@ int len;
 | |
|  		}
 | |
|  
 | |
|  		/* Not so likely to happen. */
 | |
| -		if (vallen >= len + sizeof (rhostname)) {
 | |
| +		if (len - vallen >= sizeof (rhostname)) {
 | |
|  			dbglog("EAP: trimming really long peer name down");
 | |
|  			BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1);
 | |
|  			rhostname[sizeof (rhostname) - 1] = '\0';
 | |
| @@ -1846,7 +1846,7 @@ int len;
 | |
|  		}
 | |
|  
 | |
|  		/* Not so likely to happen. */
 | |
| -		if (vallen >= len + sizeof (rhostname)) {
 | |
| +		if (len - vallen >= sizeof (rhostname)) {
 | |
|  			dbglog("EAP: trimming really long peer name down");
 | |
|  			BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1);
 | |
|  			rhostname[sizeof (rhostname) - 1] = '\0';
 | 
