From 5b095342160fc5c7e7e5a42b202a2e7d535bb757 Mon Sep 17 00:00:00 2001 From: Dmitry Kozlov Date: Fri, 5 Jul 2013 15:04:26 +0400 Subject: auth_chap: fixed incorrect check for received buffer size --- accel-pppd/auth/auth_chap_md5.c | 2 +- accel-pppd/auth/auth_mschap_v1.c | 2 +- accel-pppd/auth/auth_mschap_v2.c | 2 +- accel-pppd/main.c | 8 ++------ 4 files changed, 5 insertions(+), 9 deletions(-) (limited to 'accel-pppd') diff --git a/accel-pppd/auth/auth_chap_md5.c b/accel-pppd/auth/auth_chap_md5.c index 7e14b8d5..8aa30189 100644 --- a/accel-pppd/auth/auth_chap_md5.c +++ b/accel-pppd/auth/auth_chap_md5.c @@ -404,7 +404,7 @@ static void chap_recv(struct ppp_handler_t *h) struct chap_auth_data_t *d = container_of(h, typeof(*d), h); struct chap_hdr_t *hdr = (struct chap_hdr_t *)d->ppp->buf; - if (d->ppp->buf_size < sizeof(*hdr) || ntohs(hdr->len) < HDR_LEN || ntohs(hdr->len) < d->ppp->buf_size - 2) { + if (d->ppp->buf_size < sizeof(*hdr) || ntohs(hdr->len) < HDR_LEN || ntohs(hdr->len) > d->ppp->buf_size - 2) { log_ppp_warn("chap-md5: short packet received\n"); return; } diff --git a/accel-pppd/auth/auth_mschap_v1.c b/accel-pppd/auth/auth_mschap_v1.c index adfbc604..0dcaffd1 100644 --- a/accel-pppd/auth/auth_mschap_v1.c +++ b/accel-pppd/auth/auth_mschap_v1.c @@ -470,7 +470,7 @@ static void chap_recv(struct ppp_handler_t *h) struct chap_auth_data_t *d = container_of(h, typeof(*d), h); struct chap_hdr_t *hdr = (struct chap_hdr_t *)d->ppp->buf; - if (d->ppp->buf_size < sizeof(*hdr) || ntohs(hdr->len) < HDR_LEN || ntohs(hdr->len) < d->ppp->buf_size - 2) { + if (d->ppp->buf_size < sizeof(*hdr) || ntohs(hdr->len) < HDR_LEN || ntohs(hdr->len) > d->ppp->buf_size - 2) { log_ppp_warn("mschap-v1: short packet received\n"); return; } diff --git a/accel-pppd/auth/auth_mschap_v2.c b/accel-pppd/auth/auth_mschap_v2.c index 444a9df2..3ee2adc3 100644 --- a/accel-pppd/auth/auth_mschap_v2.c +++ b/accel-pppd/auth/auth_mschap_v2.c @@ -607,7 +607,7 @@ static void chap_recv(struct ppp_handler_t *h) struct chap_auth_data_t *d = container_of(h, typeof(*d), h); struct chap_hdr_t *hdr = (struct chap_hdr_t *)d->ppp->buf; - if (d->ppp->buf_size < sizeof(*hdr) || ntohs(hdr->len) < HDR_LEN || ntohs(hdr->len) < d->ppp->buf_size - 2) { + if (d->ppp->buf_size < sizeof(*hdr) || ntohs(hdr->len) < HDR_LEN || ntohs(hdr->len) > d->ppp->buf_size - 2) { log_ppp_warn("mschap-v2: short packet received\n"); return; } diff --git a/accel-pppd/main.c b/accel-pppd/main.c index 365aee00..3b94353f 100644 --- a/accel-pppd/main.c +++ b/accel-pppd/main.c @@ -146,9 +146,9 @@ void core_restart(int soft) char *argv[16]; char *ptr = cmdline, *endptr; - if (fork()) { + if (soft && fork()) { //close_all_fd(); - _exit(0); + return; } pthread_sigmask(SIG_SETMASK, &orig_set, NULL); @@ -224,11 +224,7 @@ static void sigsegv(int num) } out: -#ifdef USE_BACKUP core_restart(1); -#else - core_restart(0); -#endif if (conf_dump) { lim.rlim_cur = RLIM_INFINITY; -- cgit v1.2.3