[src/trunk]: src/external/bsd/ppp/dist/pppd pppd: Fix bounds check in EAP code

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/trunk]: src/external/bsd/ppp/dist/pppd pppd: Fix bounds check in EAP code
From: christos <christos%NetBSD.org@localhost>
Date: Wed, 12 Feb 2020 04:32:30 +0000

details:   https://anonhg.NetBSD.org/src/rev/a642a2ea15d4
branches:  trunk
changeset: 744747:a642a2ea15d4
user:      christos <christos%NetBSD.org@localhost>
date:      Wed Feb 12 01:51:52 2020 +0000

description:
pppd: Fix bounds check in EAP code

Given that we have just checked vallen < len, it can never be the case
that vallen >= len + sizeof(rhostname).  This fixes the check so we
actually avoid overflowing the rhostname array.

Reported-by: Ilja Van Sprundel <ivansprundel%ioactive.com@localhost>
Signed-off-by: Paul Mackerras <paulus%ozlabs.org@localhost>

From:
https://github.com/paulusmack/ppp/commit/8d7970b8f3db727fe798b65f3377fe6787575426

diffstat:

 external/bsd/ppp/dist/pppd/eap.c |  8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

diffs (36 lines):

diff -r c145f3302afb -r a642a2ea15d4 external/bsd/ppp/dist/pppd/eap.c
--- a/external/bsd/ppp/dist/pppd/eap.c  Wed Feb 12 01:34:55 2020 +0000
+++ b/external/bsd/ppp/dist/pppd/eap.c  Wed Feb 12 01:51:52 2020 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: eap.c,v 1.4 2014/10/25 21:11:37 christos Exp $ */
+/*     $NetBSD: eap.c,v 1.5 2020/02/12 01:51:52 christos Exp $ */
 /*
  * eap.c - Extensible Authentication Protocol for PPP (RFC 2284)
  *
@@ -49,7 +49,7 @@
 #define RCSID  "Id: eap.c,v 1.4 2004/11/09 22:39:25 paulus Exp "
 static const char rcsid[] = RCSID;
 #else
-__RCSID("$NetBSD: eap.c,v 1.4 2014/10/25 21:11:37 christos Exp $");
+__RCSID("$NetBSD: eap.c,v 1.5 2020/02/12 01:51:52 christos Exp $");
 #endif
 
 /*
@@ -1433,7 +1433,7 @@
                }
 
                /* Not so likely to happen. */
-               if (vallen >= len + sizeof (rhostname)) {
+               if (len - vallen >= sizeof (rhostname)) {
                        dbglog("EAP: trimming really long peer name down");
                        BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1);
                        rhostname[sizeof (rhostname) - 1] = '\0';
@@ -1859,7 +1859,7 @@
                }
 
                /* Not so likely to happen. */
-               if (vallen >= len + sizeof (rhostname)) {
+               if (len - vallen >= sizeof (rhostname)) {
                        dbglog("EAP: trimming really long peer name down");
                        BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1);
                        rhostname[sizeof (rhostname) - 1] = '\0';

Prev by Date: [src/trunk]: src/sys/net/npf PR/54950: Lloyd Parkes: Avoid NULL deref.
Next by Date: [src/trunk]: src/sys/arch/aarch64/aarch64 Create a buffer space of 512 bytes ...
Previous by Thread: [src/trunk]: src/sys/net/npf PR/54950: Lloyd Parkes: Avoid NULL deref.
Next by Thread: [src/trunk]: src/sys/arch/aarch64/aarch64 Create a buffer space of 512 bytes ...
Indexes:

Home | Main Index | Thread Index | Old Index