diff options
author | Denys Fedoryshchenko <denys.f@collabora.com> | 2024-03-10 17:34:00 +0200 |
---|---|---|
committer | Denys Fedoryshchenko <denys.f@collabora.com> | 2024-03-10 17:35:33 +0200 |
commit | 78db7640db0e2afa8403d721fd241ae901ba0bde (patch) | |
tree | 46453cc95ba697464e27f482fc9c29a3414a1bbd | |
parent | 827431d1b60bbd0ce140394e888b73d05f095ff1 (diff) | |
download | accel-ppp-xebd-78db7640db0e2afa8403d721fd241ae901ba0bde.tar.gz accel-ppp-xebd-78db7640db0e2afa8403d721fd241ae901ba0bde.zip |
Add safeguards to parse_gw_ip_address helper functions
In case of invalid configuration we might get stack overflow
with unexpected consequences.
Signed-off-by: Denys Fedoryshchenko <denys.f@collabora.com>
-rw-r--r-- | accel-pppd/extra/chap-secrets.c | 13 | ||||
-rw-r--r-- | accel-pppd/extra/ippool.c | 3 |
2 files changed, 16 insertions, 0 deletions
diff --git a/accel-pppd/extra/chap-secrets.c b/accel-pppd/extra/chap-secrets.c index 849ceef..b486bb1 100644 --- a/accel-pppd/extra/chap-secrets.c +++ b/accel-pppd/extra/chap-secrets.c @@ -739,9 +739,22 @@ static void parse_gw_ip_address(const char *opt) const char *ptr = strchr(opt, '/'); if (ptr) { + // safeguard, we don't want to overflow/underflow addr + if (ptr - opt > 16 || ptr - opt < 7) { + log_error("chap-secrets: invalid gw-ip-address %s\n", opt); + conf_gw_ip_address = 0; + conf_netmask = 0; + return; + } memcpy(addr, opt, ptr - opt); addr[ptr - opt] = 0; conf_gw_ip_address = inet_addr(addr); + // safeguard, if / is the last character, then ptr + 1 == NULL + if (!ptr[1]) { + log_error("chap-secrets: invalid netmask %s\n", ptr); + conf_netmask = 32; + return; + } conf_netmask = atoi(ptr + 1); if (conf_netmask < 0 || conf_netmask > 32) { log_error("chap-secrets: invalid netmask %i\n", conf_netmask); diff --git a/accel-pppd/extra/ippool.c b/accel-pppd/extra/ippool.c index 6ba2b5d..3ae48e9 100644 --- a/accel-pppd/extra/ippool.c +++ b/accel-pppd/extra/ippool.c @@ -108,6 +108,9 @@ static void parse_gw_ip_address(const char *val) ptr = strchr(val, '/'); if (ptr) { + // safeguard, don't crash on oversized or undersized strings + if (ptr - val > 15 || ptr - val < 7) + return; memcpy(addr, val, ptr - val); addr[ptr - val] = 0; conf_gw_ip_address = inet_addr(addr); |