Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-7-1]: src/external/bsd/ppp/dist/pppd Pull up following revision(s...
details: https://anonhg.NetBSD.org/src/rev/7aa7cece5690
branches: netbsd-7-1
changeset: 744796:7aa7cece5690
user: martin <martin%NetBSD.org@localhost>
date: Wed Feb 12 20:22:07 2020 +0000
description:
Pull up following revision(s) (requested by christos in ticket #1722):
external/bsd/ppp/dist/pppd/eap.c: revision 1.5
pppd: Fix bounds check in EAP code
Given that we have just checked vallen < len, it can never be the case
that vallen >= len + sizeof(rhostname). This fixes the check so we
actually avoid overflowing the rhostname array.
Reported-by: Ilja Van Sprundel <ivansprundel%ioactive.com@localhost>
Signed-off-by: Paul Mackerras <paulus%ozlabs.org@localhost>
From:
https://github.com/paulusmack/ppp/commit/8d7970b8f3db727fe798b65f3377fe6787575426
diffstat:
external/bsd/ppp/dist/pppd/eap.c | 8 ++++----
1 files changed, 4 insertions(+), 4 deletions(-)
diffs (36 lines):
diff -r 376a0ebd2a1d -r 7aa7cece5690 external/bsd/ppp/dist/pppd/eap.c
--- a/external/bsd/ppp/dist/pppd/eap.c Tue Jan 21 19:24:10 2020 +0000
+++ b/external/bsd/ppp/dist/pppd/eap.c Wed Feb 12 20:22:07 2020 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: eap.c,v 1.2 2013/11/28 22:33:42 christos Exp $ */
+/* $NetBSD: eap.c,v 1.2.14.1 2020/02/12 20:22:07 martin Exp $ */
/*
* eap.c - Extensible Authentication Protocol for PPP (RFC 2284)
*
@@ -49,7 +49,7 @@
#define RCSID "Id: eap.c,v 1.4 2004/11/09 22:39:25 paulus Exp "
static const char rcsid[] = RCSID;
#else
-__RCSID("$NetBSD: eap.c,v 1.2 2013/11/28 22:33:42 christos Exp $");
+__RCSID("$NetBSD: eap.c,v 1.2.14.1 2020/02/12 20:22:07 martin Exp $");
#endif
/*
@@ -1433,7 +1433,7 @@
}
/* Not so likely to happen. */
- if (vallen >= len + sizeof (rhostname)) {
+ if (len - vallen >= sizeof (rhostname)) {
dbglog("EAP: trimming really long peer name down");
BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1);
rhostname[sizeof (rhostname) - 1] = '\0';
@@ -1859,7 +1859,7 @@
}
/* Not so likely to happen. */
- if (vallen >= len + sizeof (rhostname)) {
+ if (len - vallen >= sizeof (rhostname)) {
dbglog("EAP: trimming really long peer name down");
BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1);
rhostname[sizeof (rhostname) - 1] = '\0';
Home |
Main Index |
Thread Index |
Old Index