ppp: lcp: auth: fix one-by-one oveflow

lcp auth doesn't take into account auth extra bytes
for lcp request buffer allocation for chap/mschap/mschapv2
protocols, so last byte corrupts memory with undefined behavior
incl. crash.

4 files changed, 4 insertions, 0 deletions

diff --git a/accel-pppd/auth/auth_chap_md5.c b/accel-pppd/auth/auth_chap_md5.c
index de7f7418..87d5edad 100644
--- a/accel-pppd/auth/auth_chap_md5.c
+++ b/accel-pppd/auth/auth_chap_md5.c
@@ -100,6 +100,7 @@ static struct auth_data_t* auth_data_init(struct ppp_t *ppp)
 
 	memset(d, 0, sizeof(*d));
 	d->auth.proto = PPP_CHAP;
+	d->auth.len = 1;
 	d->ppp = ppp;
 
 	return &d->auth;
diff --git a/accel-pppd/auth/auth_mschap_v1.c b/accel-pppd/auth/auth_mschap_v1.c
index 23b0f0e9..d00e1a7f 100644
--- a/accel-pppd/auth/auth_mschap_v1.c
+++ b/accel-pppd/auth/auth_mschap_v1.c
@@ -101,6 +101,7 @@ static struct auth_data_t* auth_data_init(struct ppp_t *ppp)
 
 	memset(d, 0, sizeof(*d));
 	d->auth.proto = PPP_CHAP;
+	d->auth.len = 1;
 	d->ppp = ppp;
 
 	return &d->auth;
diff --git a/accel-pppd/auth/auth_mschap_v2.c b/accel-pppd/auth/auth_mschap_v2.c
index 66e17f24..1c8e4443 100644
--- a/accel-pppd/auth/auth_mschap_v2.c
+++ b/accel-pppd/auth/auth_mschap_v2.c
@@ -105,6 +105,7 @@ static struct auth_data_t* auth_data_init(struct ppp_t *ppp)
 
 	memset(d, 0, sizeof(*d));
 	d->auth.proto = PPP_CHAP;
+	d->auth.len = 1;
 	d->ppp = ppp;
 
 	return &d->auth;
diff --git a/accel-pppd/auth/auth_pap.c b/accel-pppd/auth/auth_pap.c
index a2303d12..7becc472 100644
--- a/accel-pppd/auth/auth_pap.c
+++ b/accel-pppd/auth/auth_pap.c
@@ -73,6 +73,7 @@ static struct auth_data_t* auth_data_init(struct ppp_t *ppp)
 
 	memset(d, 0, sizeof(*d));
 	d->auth.proto = PPP_PAP;
+	d->auth.len = 0;
 	d->ppp = ppp;
 
 	return &d->auth;