From 49bbc2d4bfe7c360e604721fd7ff8375aaf0f070 Mon Sep 17 00:00:00 2001 From: Sylvain Rochet Date: Fri, 16 Oct 2020 19:27:46 +0200 Subject: [PATCH] PPP, PPPoE: prevent integer overflows when computing packets length Check that service_name and concentrator_name strings length will not trigger integer overflows when computing packets length. --- src/netif/ppp/pppoe.c | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/src/netif/ppp/pppoe.c b/src/netif/ppp/pppoe.c index 229fe461..5098d8dd 100644 --- a/src/netif/ppp/pppoe.c +++ b/src/netif/ppp/pppoe.c @@ -175,12 +175,29 @@ ppp_pcb *pppoe_create(struct netif *pppif, { ppp_pcb *ppp; struct pppoe_softc *sc; -#if !PPPOE_SCNAME_SUPPORT +#if PPPOE_SCNAME_SUPPORT + size_t l; +#else /* PPPOE_SCNAME_SUPPORT */ LWIP_UNUSED_ARG(service_name); LWIP_UNUSED_ARG(concentrator_name); -#endif /* !PPPOE_SCNAME_SUPPORT */ +#endif /* PPPOE_SCNAME_SUPPORT */ LWIP_ASSERT_CORE_LOCKED(); +#if PPPOE_SCNAME_SUPPORT + /* + * Check that service_name and concentrator_name strings length will + * not trigger integer overflows when computing packets length. + */ + l = strlen(service_name); + if (l > 1024) { + return NULL; + } + l = strlen(concentrator_name); + if (l > 1024) { + return NULL; + } +#endif /* PPPOE_SCNAME_SUPPORT */ + sc = (struct pppoe_softc *)LWIP_MEMPOOL_ALLOC(PPPOE_IF); if (sc == NULL) { return NULL;