From 96eca1b86e5c586b54b7fd84c8967c4c5b4b4878 Mon Sep 17 00:00:00 2001
From: Dmitry Kozlov <xeb@mail.ru>
Date: Fri, 5 Jul 2013 15:04:26 +0400
Subject: auth_chap: fixed incorrect check for received buffer size

---
 accel-pppd/auth/auth_chap_md5.c  | 2 +-
 accel-pppd/auth/auth_mschap_v1.c | 2 +-
 accel-pppd/auth/auth_mschap_v2.c | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/accel-pppd/auth/auth_chap_md5.c b/accel-pppd/auth/auth_chap_md5.c
index f4bddad9..e1aaed9a 100644
--- a/accel-pppd/auth/auth_chap_md5.c
+++ b/accel-pppd/auth/auth_chap_md5.c
@@ -404,7 +404,7 @@ static void chap_recv(struct ppp_handler_t *h)
 	struct chap_auth_data_t *d = container_of(h, typeof(*d), h);
 	struct chap_hdr_t *hdr = (struct chap_hdr_t *)d->ppp->buf;
 
-	if (d->ppp->buf_size < sizeof(*hdr) || ntohs(hdr->len) < HDR_LEN || ntohs(hdr->len) < d->ppp->buf_size - 2)	{
+	if (d->ppp->buf_size < sizeof(*hdr) || ntohs(hdr->len) < HDR_LEN || ntohs(hdr->len) > d->ppp->buf_size - 2)	{
 		log_ppp_warn("chap-md5: short packet received\n");
 		return;
 	}
diff --git a/accel-pppd/auth/auth_mschap_v1.c b/accel-pppd/auth/auth_mschap_v1.c
index 4e250a06..52823305 100644
--- a/accel-pppd/auth/auth_mschap_v1.c
+++ b/accel-pppd/auth/auth_mschap_v1.c
@@ -470,7 +470,7 @@ static void chap_recv(struct ppp_handler_t *h)
 	struct chap_auth_data_t *d = container_of(h, typeof(*d), h);
 	struct chap_hdr_t *hdr = (struct chap_hdr_t *)d->ppp->buf;
 
-	if (d->ppp->buf_size < sizeof(*hdr) || ntohs(hdr->len) < HDR_LEN || ntohs(hdr->len) < d->ppp->buf_size - 2) {
+	if (d->ppp->buf_size < sizeof(*hdr) || ntohs(hdr->len) < HDR_LEN || ntohs(hdr->len) > d->ppp->buf_size - 2) {
 		log_ppp_warn("mschap-v1: short packet received\n");
 		return;
 	}
diff --git a/accel-pppd/auth/auth_mschap_v2.c b/accel-pppd/auth/auth_mschap_v2.c
index 980f8159..64748559 100644
--- a/accel-pppd/auth/auth_mschap_v2.c
+++ b/accel-pppd/auth/auth_mschap_v2.c
@@ -607,7 +607,7 @@ static void chap_recv(struct ppp_handler_t *h)
 	struct chap_auth_data_t *d = container_of(h, typeof(*d), h);
 	struct chap_hdr_t *hdr = (struct chap_hdr_t *)d->ppp->buf;
 
-	if (d->ppp->buf_size < sizeof(*hdr) || ntohs(hdr->len) < HDR_LEN || ntohs(hdr->len) < d->ppp->buf_size - 2) {
+	if (d->ppp->buf_size < sizeof(*hdr) || ntohs(hdr->len) < HDR_LEN || ntohs(hdr->len) > d->ppp->buf_size - 2) {
 		log_ppp_warn("mschap-v2: short packet received\n");
 		return;
 	}
-- 
cgit v1.2.3