Skip to content
Permalink
Browse files
pppd: Fix bounds check in EAP code
Given that we have just checked vallen < len, it can never be the case
that vallen >= len + sizeof(rhostname).  This fixes the check so we
actually avoid overflowing the rhostname array.

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
  • Loading branch information
paulusmack committed Feb 3, 2020
1 parent 858976b commit 8d7970b8f3db727fe798b65f3377fe6787575426
Showing with 2 additions and 2 deletions.
  1. +2 −2 pppd/eap.c
@@ -1420,7 +1420,7 @@ int len;
}

/* Not so likely to happen. */
if (vallen >= len + sizeof (rhostname)) {
if (len - vallen >= sizeof (rhostname)) {
dbglog("EAP: trimming really long peer name down");
BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1);
rhostname[sizeof (rhostname) - 1] = '\0';
@@ -1846,7 +1846,7 @@ int len;
}

/* Not so likely to happen. */
if (vallen >= len + sizeof (rhostname)) {
if (len - vallen >= sizeof (rhostname)) {
dbglog("EAP: trimming really long peer name down");
BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1);
rhostname[sizeof (rhostname) - 1] = '\0';

0 comments on commit 8d7970b

Please sign in to comment.