Module Name: src Committed By: martin Date: Wed Feb 12 20:13:57 UTC 2020
Modified Files: src/external/bsd/ppp/dist/pppd [netbsd-8]: eap.c Log Message: Pull up following revision(s) (requested by christos in ticket #1503): external/bsd/ppp/dist/pppd/eap.c: revision 1.5 pppd: Fix bounds check in EAP code Given that we have just checked vallen < len, it can never be the case that vallen >= len + sizeof(rhostname). This fixes the check so we actually avoid overflowing the rhostname array. Reported-by: Ilja Van Sprundel <ivansprundel%ioactive.com@localhost> Signed-off-by: Paul Mackerras <paulus%ozlabs.org@localhost> From: https://github.com/paulusmack/ppp/commit/8d7970b8f3db727fe798b65f3377fe6787575426 To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.4.8.1 src/external/bsd/ppp/dist/pppd/eap.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/external/bsd/ppp/dist/pppd/eap.c diff -u src/external/bsd/ppp/dist/pppd/eap.c:1.4 src/external/bsd/ppp/dist/pppd/eap.c:1.4.8.1 --- src/external/bsd/ppp/dist/pppd/eap.c:1.4 Sat Oct 25 21:11:37 2014 +++ src/external/bsd/ppp/dist/pppd/eap.c Wed Feb 12 20:13:57 2020 @@ -1,4 +1,4 @@ -/* $NetBSD: eap.c,v 1.4 2014/10/25 21:11:37 christos Exp $ */ +/* $NetBSD: eap.c,v 1.4.8.1 2020/02/12 20:13:57 martin Exp $ */ /* * eap.c - Extensible Authentication Protocol for PPP (RFC 2284) * @@ -49,7 +49,7 @@ #define RCSID "Id: eap.c,v 1.4 2004/11/09 22:39:25 paulus Exp " static const char rcsid[] = RCSID; #else -__RCSID("$NetBSD: eap.c,v 1.4 2014/10/25 21:11:37 christos Exp $"); +__RCSID("$NetBSD: eap.c,v 1.4.8.1 2020/02/12 20:13:57 martin Exp $"); #endif /* @@ -1433,7 +1433,7 @@ int len; } /* Not so likely to happen. */ - if (vallen >= len + sizeof (rhostname)) { + if (len - vallen >= sizeof (rhostname)) { dbglog("EAP: trimming really long peer name down"); BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1); rhostname[sizeof (rhostname) - 1] = '\0'; @@ -1859,7 +1859,7 @@ int len; } /* Not so likely to happen. */ - if (vallen >= len + sizeof (rhostname)) { + if (len - vallen >= sizeof (rhostname)) { dbglog("EAP: trimming really long peer name down"); BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1); rhostname[sizeof (rhostname) - 1] = '\0';