ppp: use constant-time memcmp for checking credentials

See #65119
2024-06-28 17:08:49 +00:00 · 2024-01-09 21:23:11 +01:00 · 2024-01-09 21:23:11 +01:00 · c167a54540
commit c167a54540
parent 25de99d1c1
1 changed files with 2 additions and 2 deletions
--- a/src/netif/ppp/auth.c
+++ b/src/netif/ppp/auth.c
@ -1012,8 +1012,8 @@ int auth_check_passwd(ppp_pcb *pcb, char *auser, unsigned int userlen, char *apa
    secretpasswdlen = strlen(pcb->settings.passwd);
    if (secretuserlen == userlen
        && secretpasswdlen == passwdlen
-        && !memcmp(auser, pcb->settings.user, userlen)
-        && !memcmp(apasswd, pcb->settings.passwd, passwdlen) ) {
+        && !lwip_memcmp_consttime(auser, pcb->settings.user, userlen)
+        && !lwip_memcmp_consttime(apasswd, pcb->settings.passwd, passwdlen) ) {
      *msg = "Login ok";
      *msglen = sizeof("Login ok")-1;
      return 1;