Andrew Geissler | 706d5aa | 2021-02-12 15:55:30 -0600 | [diff] [blame^] | 1 | From 8d7970b8f3db727fe798b65f3377fe6787575426 Mon Sep 17 00:00:00 2001 |
| 2 | From: Paul Mackerras <paulus@ozlabs.org> |
| 3 | Date: Mon, 3 Feb 2020 15:53:28 +1100 |
| 4 | Subject: [PATCH] pppd: Fix bounds check in EAP code |
| 5 | |
| 6 | Given that we have just checked vallen < len, it can never be the case |
| 7 | that vallen >= len + sizeof(rhostname). This fixes the check so we |
| 8 | actually avoid overflowing the rhostname array. |
| 9 | |
| 10 | Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> |
| 11 | Signed-off-by: Paul Mackerras <paulus@ozlabs.org> |
| 12 | |
| 13 | Upstream-Status: Backport |
| 14 | [https://github.com/paulusmack/ppp/commit/8d7970b8f3db727fe798b65f3377fe6787575426] |
| 15 | |
| 16 | CVE: CVE-2020-8597 |
| 17 | |
| 18 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> |
| 19 | --- |
| 20 | pppd/eap.c | 4 ++-- |
| 21 | 1 file changed, 2 insertions(+), 2 deletions(-) |
| 22 | |
| 23 | diff --git a/pppd/eap.c b/pppd/eap.c |
| 24 | index 94407f5..1b93db0 100644 |
| 25 | --- a/pppd/eap.c |
| 26 | +++ b/pppd/eap.c |
| 27 | @@ -1420,7 +1420,7 @@ int len; |
| 28 | } |
| 29 | |
| 30 | /* Not so likely to happen. */ |
| 31 | - if (vallen >= len + sizeof (rhostname)) { |
| 32 | + if (len - vallen >= sizeof (rhostname)) { |
| 33 | dbglog("EAP: trimming really long peer name down"); |
| 34 | BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1); |
| 35 | rhostname[sizeof (rhostname) - 1] = '\0'; |
| 36 | @@ -1846,7 +1846,7 @@ int len; |
| 37 | } |
| 38 | |
| 39 | /* Not so likely to happen. */ |
| 40 | - if (vallen >= len + sizeof (rhostname)) { |
| 41 | + if (len - vallen >= sizeof (rhostname)) { |
| 42 | dbglog("EAP: trimming really long peer name down"); |
| 43 | BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1); |
| 44 | rhostname[sizeof (rhostname) - 1] = '\0'; |
| 45 | -- |
| 46 | 2.17.1 |
| 47 | |