Skip to content
Permalink
Browse files Browse the repository at this point in the history
pppdump: Avoid out-of-range access to packet buffer
This fixes a potential vulnerability where data is written to spkt.buf
and rpkt.buf without a check on the array index.  To fix this, we
check the array index (pkt->cnt) before storing the byte or
incrementing the count.  This also means we no longer have a potential
signed integer overflow on the increment of pkt->cnt.

Fortunately, pppdump is not used in the normal process of setting up a
PPP connection, is not installed setuid-root, and is not invoked
automatically in any scenario that I am aware of.

Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
  • Loading branch information
paulusmack committed Aug 4, 2022
1 parent fb3529c commit a75fb7b
Showing 1 changed file with 6 additions and 1 deletion.
7 changes: 6 additions & 1 deletion pppdump/pppdump.c
Expand Up @@ -297,6 +297,10 @@ dumpppp(f)
printf("%s aborted packet:\n ", dir);
q = " ";
}
if (pkt->cnt >= sizeof(pkt->buf)) {
printf("%s over-long packet truncated:\n ", dir);
q = " ";
}
nb = pkt->cnt;
p = pkt->buf;
pkt->cnt = 0;
Expand Down Expand Up @@ -400,7 +404,8 @@ dumpppp(f)
c ^= 0x20;
pkt->esc = 0;
}
pkt->buf[pkt->cnt++] = c;
if (pkt->cnt < sizeof(pkt->buf))
pkt->buf[pkt->cnt++] = c;
break;
}
}
Expand Down

0 comments on commit a75fb7b

Please sign in to comment.