diff options
author | Milan P. Stanić <mps@arvanta.net> | 2020-03-10 19:44:35 +0100 |
---|---|---|
committer | Leo <thinkabit.ukim@gmail.com> | 2020-03-10 16:33:45 -0300 |
commit | 164563e65437c39f51dcb551e3e88c69aecc7ca1 (patch) | |
tree | dd12ad5fd0b618f84992552c39c76f6ef8ae806f /main/ppp/fix-bound-check-eap.patch | |
parent | 032abeb0cb17ff90166fdbce07c4a921c9147e45 (diff) |
main/ppp: secfix for radius and EAP
backported security fixes from upstream:
radius: Prevent buffer overflow in rc_mksid()
pppd: Fix bounds check in EAP code
pppd: Ignore received EAP messages when not doing EAP
add 'secfixes'
Diffstat (limited to 'main/ppp/fix-bound-check-eap.patch')
-rw-r--r-- | main/ppp/fix-bound-check-eap.patch | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/main/ppp/fix-bound-check-eap.patch b/main/ppp/fix-bound-check-eap.patch new file mode 100644 index 00000000000..746eb70961a --- /dev/null +++ b/main/ppp/fix-bound-check-eap.patch @@ -0,0 +1,40 @@ +From 8d7970b8f3db727fe798b65f3377fe6787575426 Mon Sep 17 00:00:00 2001 +From: Paul Mackerras <paulus@ozlabs.org> +Date: Mon, 3 Feb 2020 15:53:28 +1100 +Subject: [PATCH] pppd: Fix bounds check in EAP code + +Given that we have just checked vallen < len, it can never be the case +that vallen >= len + sizeof(rhostname). This fixes the check so we +actually avoid overflowing the rhostname array. + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Paul Mackerras <paulus@ozlabs.org> +--- + pppd/eap.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/pppd/eap.c b/pppd/eap.c +index 94407f5..1b93db0 100644 +--- a/pppd/eap.c ++++ b/pppd/eap.c +@@ -1420,7 +1420,7 @@ int len; + } + + /* Not so likely to happen. */ +- if (vallen >= len + sizeof (rhostname)) { ++ if (len - vallen >= sizeof (rhostname)) { + dbglog("EAP: trimming really long peer name down"); + BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1); + rhostname[sizeof (rhostname) - 1] = '\0'; +@@ -1846,7 +1846,7 @@ int len; + } + + /* Not so likely to happen. */ +- if (vallen >= len + sizeof (rhostname)) { ++ if (len - vallen >= sizeof (rhostname)) { + dbglog("EAP: trimming really long peer name down"); + BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1); + rhostname[sizeof (rhostname) - 1] = '\0'; +-- +2.25.0 + |