pppd: Fix bounds check in EAP code

Given that we have just checked vallen <= len, it can never be the case that vallen >= len + sizeof(rhostname). This fixes the check so we actually avoid overflowing the rhostname array. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Paul Mackerras <paulus@ozlabs.org> Bug: 151153886 Change-Id: Ibc29e1b5b17ddee256b1ff5f3e9909347403a791 Merged-In: Ibc29e1b5b17ddee256b1ff5f3e9909347403a791
author: Paul Mackerras <paulus@ozlabs.org> 2020-02-03 15:53:28 +1100
committer: Xin Li <delphij@google.com> 2020-03-17 01:18:57 +0000
commit: f9fec5c36952301e585a420f31e96d35a60d0498 (patch)
tree: 3319aa3988fb14c85b2121bccbf5032fff6b9c9f
parent: 90da8c8f15db2c82aece6e4085aaf9c116d481f2 (diff)
download: ppp-f9fec5c36952301e585a420f31e96d35a60d0498.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/pppd/eap.c b/pppd/eap.c
index 6ea6c1f..5940ebf 100644
--- a/pppd/eap.c
+++ b/pppd/eap.c
@@ -1421,7 +1421,7 @@ int len;
 		}
 
 		/* Not so likely to happen. */
-		if (vallen >= len + sizeof (rhostname)) {
+		if (len - vallen >= sizeof (rhostname)) {
 			dbglog("EAP: trimming really long peer name down");
 			BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1);
 			rhostname[sizeof (rhostname) - 1] = '\0';
@@ -1847,7 +1847,7 @@ int len;
 		}
 
 		/* Not so likely to happen. */
-		if (vallen >= len + sizeof (rhostname)) {
+		if (len - vallen >= sizeof (rhostname)) {
 			dbglog("EAP: trimming really long peer name down");
 			BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1);
 			rhostname[sizeof (rhostname) - 1] = '\0';
author	Paul Mackerras <paulus@ozlabs.org>	2020-02-03 15:53:28 +1100
committer	Xin Li <delphij@google.com>	2020-03-17 01:18:57 +0000
commit	f9fec5c36952301e585a420f31e96d35a60d0498 (patch)
tree	3319aa3988fb14c85b2121bccbf5032fff6b9c9f
parent	90da8c8f15db2c82aece6e4085aaf9c116d481f2 (diff)
download	ppp-f9fec5c36952301e585a420f31e96d35a60d0498.tar.gz