PPP, PPPoE: prevent integer overflows when computing packets length

Check that service_name and concentrator_name strings length will not
trigger integer overflows when computing packets length.
This commit is contained in:
Sylvain Rochet 2020-10-16 19:27:46 +02:00
parent 678a7a4044
commit 49bbc2d4bf

View File

@ -175,12 +175,29 @@ ppp_pcb *pppoe_create(struct netif *pppif,
{ {
ppp_pcb *ppp; ppp_pcb *ppp;
struct pppoe_softc *sc; struct pppoe_softc *sc;
#if !PPPOE_SCNAME_SUPPORT #if PPPOE_SCNAME_SUPPORT
size_t l;
#else /* PPPOE_SCNAME_SUPPORT */
LWIP_UNUSED_ARG(service_name); LWIP_UNUSED_ARG(service_name);
LWIP_UNUSED_ARG(concentrator_name); LWIP_UNUSED_ARG(concentrator_name);
#endif /* !PPPOE_SCNAME_SUPPORT */ #endif /* PPPOE_SCNAME_SUPPORT */
LWIP_ASSERT_CORE_LOCKED(); LWIP_ASSERT_CORE_LOCKED();
#if PPPOE_SCNAME_SUPPORT
/*
* Check that service_name and concentrator_name strings length will
* not trigger integer overflows when computing packets length.
*/
l = strlen(service_name);
if (l > 1024) {
return NULL;
}
l = strlen(concentrator_name);
if (l > 1024) {
return NULL;
}
#endif /* PPPOE_SCNAME_SUPPORT */
sc = (struct pppoe_softc *)LWIP_MEMPOOL_ALLOC(PPPOE_IF); sc = (struct pppoe_softc *)LWIP_MEMPOOL_ALLOC(PPPOE_IF);
if (sc == NULL) { if (sc == NULL) {
return NULL; return NULL;