diff options
| author | Vladislav Grishenko <themiron@mail.ru> | 2020-08-02 19:09:13 +0500 |
|---|---|---|
| committer | Vladislav Grishenko <themiron@mail.ru> | 2020-08-02 19:09:13 +0500 |
| commit | 8d1f8733b1a202431b0faf91d70f935f65b0cec2 (patch) | |
| tree | 9310a4be5647ea35d16362f91a95c031ca6bed3c /accel-pppd/ppp | |
| parent | befc6e430add4b322e01c492e69dd4ccb2f02b9d (diff) | |
| download | accel-ppp-8d1f8733b1a202431b0faf91d70f935f65b0cec2.tar.gz accel-ppp-8d1f8733b1a202431b0faf91d70f935f65b0cec2.zip | |
ppp: lcp: auth: fix one-by-one oveflow
lcp auth doesn't take into account auth extra bytes
for lcp request buffer allocation for chap/mschap/mschapv2
protocols, so last byte corrupts memory with undefined behavior
incl. crash.
Diffstat (limited to 'accel-pppd/ppp')
| -rw-r--r-- | accel-pppd/ppp/ppp_auth.c | 8 | ||||
| -rw-r--r-- | accel-pppd/ppp/ppp_auth.h | 1 |
2 files changed, 7 insertions, 2 deletions
diff --git a/accel-pppd/ppp/ppp_auth.c b/accel-pppd/ppp/ppp_auth.c index 33d00218..ab5200ab 100644 --- a/accel-pppd/ppp/ppp_auth.c +++ b/accel-pppd/ppp/ppp_auth.c @@ -15,7 +15,6 @@ #include "memdebug.h" static LIST_HEAD(auth_handlers); -static int extra_opt_len = 0; static int conf_noauth = 0; static struct lcp_option_t *auth_init(struct ppp_lcp_t *lcp); @@ -75,11 +74,12 @@ static struct lcp_option_t *auth_init(struct ppp_lcp_t *lcp) struct ppp_auth_handler_t *h; struct auth_data_t *d; struct auth_layer_data_t *ad; + int auth_data_len = 0; ad = container_of(ppp_find_layer_data(lcp->ppp, &auth_layer), typeof(*ad), ld); ad->auth_opt.opt.id = CI_AUTH; - ad->auth_opt.opt.len = 4 + extra_opt_len; + ad->auth_opt.opt.len = 4; INIT_LIST_HEAD(&ad->auth_opt.auth_list); @@ -90,8 +90,12 @@ static struct lcp_option_t *auth_init(struct ppp_lcp_t *lcp) d = h->init(lcp->ppp); d->h = h; list_add_tail(&d->entry, &ad->auth_opt.auth_list); + if (auth_data_len < d->len) + auth_data_len = d->len; } + ad->auth_opt.opt.len += auth_data_len; + return &ad->auth_opt.opt; } diff --git a/accel-pppd/ppp/ppp_auth.h b/accel-pppd/ppp/ppp_auth.h index e9398c29..97dfa293 100644 --- a/accel-pppd/ppp/ppp_auth.h +++ b/accel-pppd/ppp/ppp_auth.h @@ -13,6 +13,7 @@ struct auth_data_t struct list_head entry; int proto; int state; + int len; struct ppp_auth_handler_t *h; }; |