diff options
| author | Denys Fedoryshchenko <denys.f@collabora.com> | 2025-11-26 20:38:02 +0200 |
|---|---|---|
| committer | Denys Fedoryshchenko <denys.f@collabora.com> | 2025-11-26 20:39:13 +0200 |
| commit | 2bbf451b94a3a9a96cdc8cbdb60a559f275dc0e6 (patch) | |
| tree | 3c91642b8ed391aee50ee3d3067d98897c56b2f9 /docs | |
| parent | d013d3ff2150ca425ff13ce69d0eab394153803a (diff) | |
| download | accel-ppp-2bbf451b94a3a9a96cdc8cbdb60a559f275dc0e6.tar.gz accel-ppp-2bbf451b94a3a9a96cdc8cbdb60a559f275dc0e6.zip | |
l2tp: fix buffer overflow and type errors in Calling/Called Number handling
Fix issues introduced in 88a2ebdb:
- Fix type declaration: uint8_t *calling[254] declared an array of 254
pointers instead of an array of 254 bytes. Remove erroneous asterisks.
- Fix buffer overflow vulnerability: L2TP AVP values can be up to 1017
bytes (L2TP_AVP_LEN_MASK - sizeof(avp_header)), but buffers were only
254(*4?) bytes. A malicious packet could cause stack buffer overflow.
Use L2TP_AVP_LEN_MASK (1023) for buffer size to handle maximum AVP length.
- Remove useless NULL checks: Stack-allocated arrays can never be NULL,
causing compiler warnings. The existence check is n > 0 / m > 1.
Signed-off-by: Denys Fedoryshchenko <denys.f@collabora.com>
Diffstat (limited to 'docs')
0 files changed, 0 insertions, 0 deletions
