1*4882a593SmuzhiyunFrom 8d7970b8f3db727fe798b65f3377fe6787575426 Mon Sep 17 00:00:00 2001 2*4882a593SmuzhiyunFrom: Paul Mackerras <paulus@ozlabs.org> 3*4882a593SmuzhiyunDate: Mon, 3 Feb 2020 15:53:28 +1100 4*4882a593SmuzhiyunSubject: [PATCH] pppd: Fix bounds check in EAP code 5*4882a593Smuzhiyun 6*4882a593SmuzhiyunGiven that we have just checked vallen < len, it can never be the case 7*4882a593Smuzhiyunthat vallen >= len + sizeof(rhostname). This fixes the check so we 8*4882a593Smuzhiyunactually avoid overflowing the rhostname array. 9*4882a593Smuzhiyun 10*4882a593SmuzhiyunReported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> 11*4882a593SmuzhiyunSigned-off-by: Paul Mackerras <paulus@ozlabs.org> 12*4882a593Smuzhiyun--- 13*4882a593Smuzhiyun pppd/eap.c | 4 ++-- 14*4882a593Smuzhiyun 1 file changed, 2 insertions(+), 2 deletions(-) 15*4882a593Smuzhiyun 16*4882a593Smuzhiyundiff --git a/pppd/eap.c b/pppd/eap.c 17*4882a593Smuzhiyunindex 94407f56..1b93db01 100644 18*4882a593Smuzhiyun--- a/pppd/eap.c 19*4882a593Smuzhiyun+++ b/pppd/eap.c 20*4882a593Smuzhiyun@@ -1420,7 +1420,7 @@ int len; 21*4882a593Smuzhiyun } 22*4882a593Smuzhiyun 23*4882a593Smuzhiyun /* Not so likely to happen. */ 24*4882a593Smuzhiyun- if (vallen >= len + sizeof (rhostname)) { 25*4882a593Smuzhiyun+ if (len - vallen >= sizeof (rhostname)) { 26*4882a593Smuzhiyun dbglog("EAP: trimming really long peer name down"); 27*4882a593Smuzhiyun BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1); 28*4882a593Smuzhiyun rhostname[sizeof (rhostname) - 1] = '\0'; 29*4882a593Smuzhiyun@@ -1846,7 +1846,7 @@ int len; 30*4882a593Smuzhiyun } 31*4882a593Smuzhiyun 32*4882a593Smuzhiyun /* Not so likely to happen. */ 33*4882a593Smuzhiyun- if (vallen >= len + sizeof (rhostname)) { 34*4882a593Smuzhiyun+ if (len - vallen >= sizeof (rhostname)) { 35*4882a593Smuzhiyun dbglog("EAP: trimming really long peer name down"); 36*4882a593Smuzhiyun BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1); 37*4882a593Smuzhiyun rhostname[sizeof (rhostname) - 1] = '\0'; 38