From c167a545408c46b69fc554ae5fdace19879b84fb Mon Sep 17 00:00:00 2001
From: Simon Goldschmidt <goldsimon@gmx.de>
Date: Tue, 9 Jan 2024 21:23:11 +0100
Subject: [PATCH] ppp: use constant-time memcmp for checking credentials

See #65119
---
 src/netif/ppp/auth.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/netif/ppp/auth.c b/src/netif/ppp/auth.c
index 3e174187..1f271752 100644
--- a/src/netif/ppp/auth.c
+++ b/src/netif/ppp/auth.c
@@ -1012,8 +1012,8 @@ int auth_check_passwd(ppp_pcb *pcb, char *auser, unsigned int userlen, char *apa
     secretpasswdlen = strlen(pcb->settings.passwd);
     if (secretuserlen == userlen
         && secretpasswdlen == passwdlen
-        && !memcmp(auser, pcb->settings.user, userlen)
-        && !memcmp(apasswd, pcb->settings.passwd, passwdlen) ) {
+        && !lwip_memcmp_consttime(auser, pcb->settings.user, userlen)
+        && !lwip_memcmp_consttime(apasswd, pcb->settings.passwd, passwdlen) ) {
       *msg = "Login ok";
       *msglen = sizeof("Login ok")-1;
       return 1;