diff options
author | Paul Mackerras <paulus@samba.org> | 2014-08-01 16:05:42 +1000 |
---|---|---|
committer | Paul Mackerras <paulus@samba.org> | 2014-08-01 21:36:48 +1000 |
commit | 7658e8257183f062dc01f87969c140707c7e52cb (patch) | |
tree | cba39f99e07ebbcc1efdcb94bac91b3dd19091e1 | |
parent | 880a81be7c8e0fe8567227bc17a1bff3ea035943 (diff) | |
download | ppp-7658e8257183f062dc01f87969c140707c7e52cb.tar.gz |
pppd: Eliminate potential integer overflow in option parsing
When we are reading in a word from an options file, we maintain a count
of the length we have seen so far in 'len', which is an int. When len
exceeds MAXWORDLEN - 1 (i.e. 1023) we cease storing characters in the
buffer but we continue to increment len. Since len is an int, it will
wrap around to -2147483648 after it reaches 2147483647. At that point
our test of (len < MAXWORDLEN-1) will succeed and we will start writing
characters to memory again.
This may enable an attacker to overwrite the heap and thereby corrupt
security-relevant variables. For this reason it has been assigned a
CVE identifier, CVE-2014-3158.
This fixes the bug by ceasing to increment len once it reaches MAXWORDLEN.
Reported-by: Lee Campbell <leecam@google.com>
Signed-off-by: Paul Mackerras <paulus@samba.org>
-rw-r--r-- | pppd/options.c | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/pppd/options.c b/pppd/options.c index 45fa742..e9042d1 100644 --- a/pppd/options.c +++ b/pppd/options.c @@ -1289,9 +1289,10 @@ getword(f, word, newlinep, filename) /* * Store the resulting character for the escape sequence. */ - if (len < MAXWORDLEN-1) + if (len < MAXWORDLEN) { word[len] = value; - ++len; + ++len; + } if (!got) c = getc(f); @@ -1329,9 +1330,10 @@ getword(f, word, newlinep, filename) /* * An ordinary character: store it in the word and get another. */ - if (len < MAXWORDLEN-1) + if (len < MAXWORDLEN) { word[len] = c; - ++len; + ++len; + } c = getc(f); } |