diff options
author | Paul Mackerras <paulus@ozlabs.org> | 2020-02-03 15:53:28 +1100 |
---|---|---|
committer | Anis Assi <anisassi@google.com> | 2020-04-09 13:45:19 -0700 |
commit | e5abe0f68ce9535798176e2572b4ecbe8a005f3a (patch) | |
tree | 3319aa3988fb14c85b2121bccbf5032fff6b9c9f | |
parent | 90da8c8f15db2c82aece6e4085aaf9c116d481f2 (diff) | |
download | ppp-e5abe0f68ce9535798176e2572b4ecbe8a005f3a.tar.gz |
pppd: Fix bounds check in EAP codeandroid-security-8.1.0_r93android-security-8.1.0_r92android-security-8.1.0_r91android-security-8.1.0_r90android-security-8.1.0_r89android-security-8.1.0_r88android-security-8.1.0_r87android-security-8.1.0_r86android-security-8.1.0_r85android-security-8.1.0_r84android-security-8.1.0_r83android-security-8.1.0_r82android-8.1.0_r81android-8.1.0_r80android-8.1.0_r79android-8.1.0_r78android-8.1.0_r77android-8.1.0_r76security-oc-mr1-releaseoreo-mr1-security-release
Given that we have just checked vallen <= len, it can never be the case
that vallen >= len + sizeof(rhostname). This fixes the check so we
actually avoid overflowing the rhostname array.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
Bug: 151153886
Change-Id: Ibc29e1b5b17ddee256b1ff5f3e9909347403a791
Merged-In: Ibc29e1b5b17ddee256b1ff5f3e9909347403a791
(cherry picked from commit f9fec5c36952301e585a420f31e96d35a60d0498)
-rw-r--r-- | pppd/eap.c | 4 |
1 files changed, 2 insertions, 2 deletions
@@ -1421,7 +1421,7 @@ int len; } /* Not so likely to happen. */ - if (vallen >= len + sizeof (rhostname)) { + if (len - vallen >= sizeof (rhostname)) { dbglog("EAP: trimming really long peer name down"); BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1); rhostname[sizeof (rhostname) - 1] = '\0'; @@ -1847,7 +1847,7 @@ int len; } /* Not so likely to happen. */ - if (vallen >= len + sizeof (rhostname)) { + if (len - vallen >= sizeof (rhostname)) { dbglog("EAP: trimming really long peer name down"); BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1); rhostname[sizeof (rhostname) - 1] = '\0'; |