Skip to content

Commit 7658e82

Browse files
committed
pppd: Eliminate potential integer overflow in option parsing
When we are reading in a word from an options file, we maintain a count of the length we have seen so far in 'len', which is an int. When len exceeds MAXWORDLEN - 1 (i.e. 1023) we cease storing characters in the buffer but we continue to increment len. Since len is an int, it will wrap around to -2147483648 after it reaches 2147483647. At that point our test of (len < MAXWORDLEN-1) will succeed and we will start writing characters to memory again. This may enable an attacker to overwrite the heap and thereby corrupt security-relevant variables. For this reason it has been assigned a CVE identifier, CVE-2014-3158. This fixes the bug by ceasing to increment len once it reaches MAXWORDLEN. Reported-by: Lee Campbell <leecam@google.com> Signed-off-by: Paul Mackerras <paulus@samba.org>
1 parent 880a81b commit 7658e82

File tree

1 file changed

+6
-4
lines changed

1 file changed

+6
-4
lines changed

Diff for: pppd/options.c

+6-4
Original file line numberDiff line numberDiff line change
@@ -1289,9 +1289,10 @@ getword(f, word, newlinep, filename)
12891289
/*
12901290
* Store the resulting character for the escape sequence.
12911291
*/
1292-
if (len < MAXWORDLEN-1)
1292+
if (len < MAXWORDLEN) {
12931293
word[len] = value;
1294-
++len;
1294+
++len;
1295+
}
12951296

12961297
if (!got)
12971298
c = getc(f);
@@ -1329,9 +1330,10 @@ getword(f, word, newlinep, filename)
13291330
/*
13301331
* An ordinary character: store it in the word and get another.
13311332
*/
1332-
if (len < MAXWORDLEN-1)
1333+
if (len < MAXWORDLEN) {
13331334
word[len] = c;
1334-
++len;
1335+
++len;
1336+
}
13351337

13361338
c = getc(f);
13371339
}

0 commit comments

Comments
 (0)