Add safeguards to parse_gw_ip_address helper functions

In case of invalid configuration we might get stack overflow
with unexpected consequences.

Signed-off-by: Denys Fedoryshchenko <denys.f@collabora.com>

2 files changed, 16 insertions, 0 deletions

diff --git a/accel-pppd/extra/chap-secrets.c b/accel-pppd/extra/chap-secrets.c
index 849ceef..b486bb1 100644
--- a/accel-pppd/extra/chap-secrets.c
+++ b/accel-pppd/extra/chap-secrets.c
@@ -739,9 +739,22 @@ static void parse_gw_ip_address(const char *opt)
 	const char *ptr = strchr(opt, '/');
 
 	if (ptr) {
+		// safeguard, we don't want to overflow/underflow addr
+		if (ptr - opt > 16 || ptr - opt < 7) {
+			log_error("chap-secrets: invalid gw-ip-address %s\n", opt);
+			conf_gw_ip_address = 0;
+			conf_netmask = 0;
+			return;
+		}
 		memcpy(addr, opt, ptr - opt);
 		addr[ptr - opt] = 0;
 		conf_gw_ip_address = inet_addr(addr);
+		// safeguard, if / is the last character, then ptr + 1 == NULL
+		if (!ptr[1]) {
+			log_error("chap-secrets: invalid netmask %s\n", ptr);
+			conf_netmask = 32;
+			return;
+		}
 		conf_netmask = atoi(ptr + 1);
 		if (conf_netmask < 0 || conf_netmask > 32) {
 			log_error("chap-secrets: invalid netmask %i\n", conf_netmask);
diff --git a/accel-pppd/extra/ippool.c b/accel-pppd/extra/ippool.c
index 6ba2b5d..3ae48e9 100644
--- a/accel-pppd/extra/ippool.c
+++ b/accel-pppd/extra/ippool.c
@@ -108,6 +108,9 @@ static void parse_gw_ip_address(const char *val)
 
 	ptr = strchr(val, '/');
 	if (ptr) {
+		// safeguard, don't crash on oversized or undersized strings
+		if (ptr - val > 15 || ptr - val < 7)
+			return;
 		memcpy(addr, val, ptr - val);
 		addr[ptr - val] = 0;
 		conf_gw_ip_address = inet_addr(addr);