mirror of
https://github.com/lwip-tcpip/lwip.git
synced 2024-12-25 09:16:20 +00:00
PPP, EAP: fix bounds check in EAP code
Given that we have just checked vallen < len, it can never be the case that vallen >= len + sizeof(rhostname). This fixes the check so we actually avoid overflowing the rhostname array. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Paul Mackerras <paulus@ozlabs.org> Signed-off-by: Sylvain Rochet <gradator@gradator.net> (compiler warning fix about int vs uint comparisons)
This commit is contained in:
parent
5e52d1a4b1
commit
2ee3cbe69c
@ -1417,7 +1417,7 @@ static void eap_request(ppp_pcb *pcb, u_char *inp, int id, int len) {
|
||||
}
|
||||
|
||||
/* Not so likely to happen. */
|
||||
if (vallen >= len + sizeof (rhostname)) {
|
||||
if (len - vallen >= (int)sizeof (rhostname)) {
|
||||
ppp_dbglog(("EAP: trimming really long peer name down"));
|
||||
MEMCPY(rhostname, inp + vallen, sizeof (rhostname) - 1);
|
||||
rhostname[sizeof (rhostname) - 1] = '\0';
|
||||
@ -1845,7 +1845,7 @@ static void eap_response(ppp_pcb *pcb, u_char *inp, int id, int len) {
|
||||
}
|
||||
|
||||
/* Not so likely to happen. */
|
||||
if (vallen >= len + sizeof (rhostname)) {
|
||||
if (len - vallen >= (int)sizeof (rhostname)) {
|
||||
ppp_dbglog(("EAP: trimming really long peer name down"));
|
||||
MEMCPY(rhostname, inp + vallen, sizeof (rhostname) - 1);
|
||||
rhostname[sizeof (rhostname) - 1] = '\0';
|
||||
|
Loading…
Reference in New Issue
Block a user