The branch main has been updated by jhb:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=7e971892dfc5aac20bd62be7817941dbaed55f42

commit 7e971892dfc5aac20bd62be7817941dbaed55f42
Author:     John Baldwin <[email protected]>
AuthorDate: 2026-06-10 13:44:10 +0000
Commit:     John Baldwin <[email protected]>
CommitDate: 2026-06-10 13:44:10 +0000

    ppp: Permit CHAP challenges up to 255 bytes
    
    RFC 1994 does not place any limit on the length of the value field in
    challenge messages except that the length is a single octet which
    bounds the maximum length to 255.
    
    NB: I'm not sure why the local[] and peer[] arrays contain room for an
    authentication name (AUTHLEN) in addition to a challenge value/response,
    but I've just left that in place.
    
    PR:             271955
    Reported by:    Robert Morris <[email protected]>
    Reviewed by:    des
    Differential Revision:  https://reviews.freebsd.org/D57138
---
 usr.sbin/ppp/chap.c | 4 ++--
 usr.sbin/ppp/chap.h | 4 ++--
 usr.sbin/ppp/defs.h | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/usr.sbin/ppp/chap.c b/usr.sbin/ppp/chap.c
index 9cefa6db71ce..1129aa7fb2a3 100644
--- a/usr.sbin/ppp/chap.c
+++ b/usr.sbin/ppp/chap.c
@@ -238,7 +238,7 @@ chap_BuildAnswer(char *name, char *key, u_char id, char 
*challenge
     MD5Init(&MD5context);
     MD5Update(&MD5context, &id, 1);
     MD5Update(&MD5context, key, klen);
-    MD5Update(&MD5context, challenge + 1, *challenge);
+    MD5Update(&MD5context, challenge + 1, (u_char)*challenge);
     MD5Final(digest, &MD5context);
 
     memcpy(digest + 16, name, nlen);
@@ -913,7 +913,7 @@ chap_Input(struct bundle *bundle, struct link *l, struct 
mbuf *bp)
               if (myans == NULL)
                 key = NULL;
               else {
-                if (!chap_Cmp(myans + 1, *myans, ans + 1, alen
+                if (!chap_Cmp(myans + 1, (u_char)*myans, ans + 1, alen
 #ifndef NODES
                               , p->link.lcp.want_authtype, lanman
 #endif
diff --git a/usr.sbin/ppp/chap.h b/usr.sbin/ppp/chap.h
index f697167ab165..993ed3f060f7 100644
--- a/usr.sbin/ppp/chap.h
+++ b/usr.sbin/ppp/chap.h
@@ -48,8 +48,8 @@ struct chap {
   } child;
   struct authinfo auth;
   struct {
-    u_char local[CHAPCHALLENGELEN + AUTHLEN];  /* I invented this one */
-    u_char peer[CHAPCHALLENGELEN + AUTHLEN];   /* Peer gave us this one */
+    u_char local[CHAPCHALLENGELEN + 1 + AUTHLEN]; /* I invented this one */
+    u_char peer[CHAPCHALLENGELEN + 1 + AUTHLEN];  /* Peer gave us this one */
   } challenge;
 #ifndef NODES
   unsigned NTRespSent : 1;             /* Our last response */
diff --git a/usr.sbin/ppp/defs.h b/usr.sbin/ppp/defs.h
index c76cbd8ad9cb..31f2577a6c23 100644
--- a/usr.sbin/ppp/defs.h
+++ b/usr.sbin/ppp/defs.h
@@ -58,7 +58,7 @@
 #define DEVICE_LEN SCRIPT_LEN  /* Size of individual devices */
 #define AUTHLEN 100            /* Size of authname/authkey */
 #define CHAPDIGESTLEN 100      /* Maximum chap digest */
-#define CHAPCHALLENGELEN 48    /* Maximum chap challenge */
+#define CHAPCHALLENGELEN 255   /* Maximum chap challenge */
 #define CHAPAUTHRESPONSELEN 48 /* Maximum chap authresponse (chap81) */
 #define MAXARGS 40             /* How many args per config line */
 #define NCP_IDLE_TIMEOUT 180   /* Drop all links */

Reply via email to