mirror/lwip
1
0
Fork 0
mirror of https://github.com/lwip-tcpip/lwip.git synced 2024-11-04 23:29:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

PPP, EAP: fix bounds check in EAP code

Browse Source 
Given that we have just checked vallen < len, it can never be the case
that vallen >= len + sizeof(rhostname).  This fixes the check so we
actually avoid overflowing the rhostname array.

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
Signed-off-by: Sylvain Rochet <gradator@gradator.net> (compiler warning fix about int vs uint comparisons)
This commit is contained in:
Paul Mackerras 2020-02-10 23:21:35 +01:00 committed by Sylvain Rochet
parent 5e52d1a4b1
commit 2ee3cbe69c
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/netif/ppp/eap.c
View File

@ -1417,7 +1417,7 @@ static void eap_request(ppp_pcb *pcb, u_char *inp, int id, int len) {
}
/* Not so likely to happen. */
if (vallen >= len + sizeof (rhostname)) {
if (len - vallen >= (int)sizeof (rhostname)) {
ppp_dbglog(("EAP: trimming really long peer name down"));
MEMCPY(rhostname, inp + vallen, sizeof (rhostname) - 1);
rhostname[sizeof (rhostname) - 1] = '\0';
@ -1845,7 +1845,7 @@ static void eap_response(ppp_pcb *pcb, u_char *inp, int id, int len) {
}
/* Not so likely to happen. */
if (vallen >= len + sizeof (rhostname)) {
if (len - vallen >= (int)sizeof (rhostname)) {
ppp_dbglog(("EAP: trimming really long peer name down"));
MEMCPY(rhostname, inp + vallen, sizeof (rhostname) - 1);
rhostname[sizeof (rhostname) - 1] = '\0';