pppd(8) creates Reject message by moving with memcpy(3) rejected
option to left in buffer. If moving distance is less then option
length than it falls in coping between overlapping regions case. What
leads to crash.
The following patch fixes this issue by replacing memcpy(3) by
memmove(3).
Index: pppd.h
===================================================================
RCS file: /cvs/src/usr.sbin/pppd/pppd.h,v
retrieving revision 1.18
diff -u -p -r1.18 pppd.h
--- pppd.h 16 Jan 2015 06:40:19 -0000 1.18
+++ pppd.h 12 Jun 2015 12:11:14 -0000
@@ -402,6 +402,7 @@ extern struct option_info devnam_info;
#define UNTIMEOUT(r, f) untimeout((r), (f))
#define BCOPY(s, d, l) memcpy(d, s, l)
+#define BMOVE(s, d, l) memmove(d, s, l)
#define BZERO(s, n) memset(s, 0, n)
#define EXIT(u) quit()
Index: lcp.c
===================================================================
RCS file: /cvs/src/usr.sbin/pppd/lcp.c,v
retrieving revision 1.11
diff -u -p -r1.11 lcp.c
--- lcp.c 15 Jan 2015 23:19:48 -0000 1.11
+++ lcp.c 12 Jun 2015 12:11:14 -0000
@@ -1441,7 +1441,7 @@ endswitch:
if (orc == CONFREJ) { /* Reject this CI */
rc = CONFREJ;
if (cip != rejp) /* Need to move rejected CI? */
- BCOPY(cip, rejp, cilen); /* Move it */
+ BMOVE(cip, rejp, cilen); /* Move it (NB: overlapped regions) */
INCPTR(cilen, rejp); /* Update output pointer */
}
}
--
Sergey
