From 8d1f8733b1a202431b0faf91d70f935f65b0cec2 Mon Sep 17 00:00:00 2001
From: Vladislav Grishenko <themiron@mail.ru>
Date: Sun, 2 Aug 2020 19:09:13 +0500
Subject: ppp: lcp: auth: fix one-by-one oveflow

lcp auth doesn't take into account auth extra bytes
for lcp request buffer allocation for chap/mschap/mschapv2
protocols, so last byte corrupts memory with undefined behavior
incl. crash.
---
 accel-pppd/ppp/ppp_auth.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'accel-pppd/ppp/ppp_auth.c')

diff --git a/accel-pppd/ppp/ppp_auth.c b/accel-pppd/ppp/ppp_auth.c
index 33d00218..ab5200ab 100644
--- a/accel-pppd/ppp/ppp_auth.c
+++ b/accel-pppd/ppp/ppp_auth.c
@@ -15,7 +15,6 @@
 #include "memdebug.h"
 
 static LIST_HEAD(auth_handlers);
-static int extra_opt_len = 0;
 static int conf_noauth = 0;
 
 static struct lcp_option_t *auth_init(struct ppp_lcp_t *lcp);
@@ -75,11 +74,12 @@ static struct lcp_option_t *auth_init(struct ppp_lcp_t *lcp)
 	struct ppp_auth_handler_t *h;
 	struct auth_data_t *d;
 	struct auth_layer_data_t *ad;
+	int auth_data_len = 0;
 
 	ad = container_of(ppp_find_layer_data(lcp->ppp, &auth_layer), typeof(*ad), ld);
 
 	ad->auth_opt.opt.id = CI_AUTH;
-	ad->auth_opt.opt.len = 4 + extra_opt_len;
+	ad->auth_opt.opt.len = 4;
 
 	INIT_LIST_HEAD(&ad->auth_opt.auth_list);
 
@@ -90,8 +90,12 @@ static struct lcp_option_t *auth_init(struct ppp_lcp_t *lcp)
 		d = h->init(lcp->ppp);
 		d->h = h;
 		list_add_tail(&d->entry, &ad->auth_opt.auth_list);
+		if (auth_data_len < d->len)
+			auth_data_len = d->len;
 	}
 
+	ad->auth_opt.opt.len += auth_data_len;
+
 	return &ad->auth_opt.opt;
 }
 
-- 
cgit v1.2.3