Commit b9b7429
committed
pppd: Add checks to avoid out-of-bounds writes to inpacket_buf and outpacket_buf
In ipcp_reqci(), there is code that appends a CI_ADDR option to the
list of options being returned as a Configure-Nak. Add a check to
this code to ensure that there is sufficient space to append the
option, so that a malicious peer can't cause the code to write past
the end of inpacket_buf (which is what 'inp' points to).
In fsm_sdata(), the code that trims the length of the outgoing packet
to the peer's MRU could potentially result in the length being greater
than 1500, causing the following code to write beyond the end of the
outpacket_buf array if the peer has negotiated an MRU larger than
1500. To prevent this, limit the length to 1500 or the peer's MRU,
whichever is smaller.
These issues were found by Sebastian Eisenreich-Dietz (CyberDanube) in
cooperation with A&R TECH.
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>1 parent a9fe706 commit b9b7429
2 files changed
Lines changed: 7 additions & 5 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
762 | 762 | | |
763 | 763 | | |
764 | 764 | | |
765 | | - | |
| 765 | + | |
766 | 766 | | |
767 | 767 | | |
768 | 768 | | |
769 | | - | |
770 | | - | |
| 769 | + | |
| 770 | + | |
| 771 | + | |
771 | 772 | | |
772 | 773 | | |
773 | 774 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1709 | 1709 | | |
1710 | 1710 | | |
1711 | 1711 | | |
1712 | | - | |
| 1712 | + | |
1713 | 1713 | | |
1714 | 1714 | | |
1715 | 1715 | | |
1716 | 1716 | | |
1717 | 1717 | | |
1718 | | - | |
| 1718 | + | |
| 1719 | + | |
1719 | 1720 | | |
1720 | 1721 | | |
1721 | 1722 | | |
| |||
0 commit comments