From 5b095342160fc5c7e7e5a42b202a2e7d535bb757 Mon Sep 17 00:00:00 2001 From: Dmitry Kozlov Date: Fri, 5 Jul 2013 15:04:26 +0400 Subject: auth_chap: fixed incorrect check for received buffer size --- accel-pppd/auth/auth_mschap_v1.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'accel-pppd/auth/auth_mschap_v1.c') diff --git a/accel-pppd/auth/auth_mschap_v1.c b/accel-pppd/auth/auth_mschap_v1.c index adfbc604..0dcaffd1 100644 --- a/accel-pppd/auth/auth_mschap_v1.c +++ b/accel-pppd/auth/auth_mschap_v1.c @@ -470,7 +470,7 @@ static void chap_recv(struct ppp_handler_t *h) struct chap_auth_data_t *d = container_of(h, typeof(*d), h); struct chap_hdr_t *hdr = (struct chap_hdr_t *)d->ppp->buf; - if (d->ppp->buf_size < sizeof(*hdr) || ntohs(hdr->len) < HDR_LEN || ntohs(hdr->len) < d->ppp->buf_size - 2) { + if (d->ppp->buf_size < sizeof(*hdr) || ntohs(hdr->len) < HDR_LEN || ntohs(hdr->len) > d->ppp->buf_size - 2) { log_ppp_warn("mschap-v1: short packet received\n"); return; } -- cgit v1.2.3