CVS commit: src/external/bsd/ppp/dist/pppd

Tue, 11 Feb 2020 17:52:26 -0800 

Module Name:    src
Committed By:   christos
Date:           Wed Feb 12 01:51:52 UTC 2020

Modified Files:
        src/external/bsd/ppp/dist/pppd: eap.c

Log Message:
pppd: Fix bounds check in EAP code

Given that we have just checked vallen < len, it can never be the case
that vallen >= len + sizeof(rhostname).  This fixes the check so we
actually avoid overflowing the rhostname array.

Reported-by: Ilja Van Sprundel <[email protected]>
Signed-off-by: Paul Mackerras <[email protected]>

From:
https://github.com/paulusmack/ppp/commit/8d7970b8f3db727fe798b65f3377fe6787575426


To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 src/external/bsd/ppp/dist/pppd/eap.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/external/bsd/ppp/dist/pppd/eap.c
diff -u src/external/bsd/ppp/dist/pppd/eap.c:1.4 src/external/bsd/ppp/dist/pppd/eap.c:1.5
--- src/external/bsd/ppp/dist/pppd/eap.c:1.4	Sat Oct 25 17:11:37 2014
+++ src/external/bsd/ppp/dist/pppd/eap.c	Tue Feb 11 20:51:52 2020
@@ -1,4 +1,4 @@
-/*	$NetBSD: eap.c,v 1.4 2014/10/25 21:11:37 christos Exp $	*/
+/*	$NetBSD: eap.c,v 1.5 2020/02/12 01:51:52 christos Exp $	*/
 /*
  * eap.c - Extensible Authentication Protocol for PPP (RFC 2284)
  *
@@ -49,7 +49,7 @@
 #define RCSID	"Id: eap.c,v 1.4 2004/11/09 22:39:25 paulus Exp "
 static const char rcsid[] = RCSID;
 #else
-__RCSID("$NetBSD: eap.c,v 1.4 2014/10/25 21:11:37 christos Exp $");
+__RCSID("$NetBSD: eap.c,v 1.5 2020/02/12 01:51:52 christos Exp $");
 #endif
 
 /*
@@ -1433,7 +1433,7 @@ int len;
 		}
 
 		/* Not so likely to happen. */
-		if (vallen >= len + sizeof (rhostname)) {
+		if (len - vallen >= sizeof (rhostname)) {
 			dbglog("EAP: trimming really long peer name down");
 			BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1);
 			rhostname[sizeof (rhostname) - 1] = '\0';
@@ -1859,7 +1859,7 @@ int len;
 		}
 
 		/* Not so likely to happen. */
-		if (vallen >= len + sizeof (rhostname)) {
+		if (len - vallen >= sizeof (rhostname)) {
 			dbglog("EAP: trimming really long peer name down");
 			BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1);
 			rhostname[sizeof (rhostname) - 1] = '\0';

Reply via email to