diff options
| author | GitHub Security Lab <61799930+ghsecuritylab@users.noreply.github.com> | 2020-09-08 15:33:41 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-09-08 15:33:41 +0300 |
| commit | 7c571137d68a1a2de0d79e2dc1741793a96c7279 (patch) | |
| tree | 0f0aff55e53dbd4835cccfbcb711b3bf1f3d3a25 | |
| parent | b93a6e663e9b67b0f575e6fd76c3767baca81ff6 (diff) | |
`vallen` is verified to be less than `len`, therefore, it can never (#365)
be the case that `vallen >= len + sizeof(rhostname)`.
This PR fixes the check so the `rhostname` array does not overflow.
Reported-by: Github Security Lab <securitylab@github.com>
Signed-off-by: Alvaro Muñoz <pwntester@github.com>
| -rw-r--r-- | src/Networking/LwipEthernet/Lwip/src/netif/ppp/eap.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/Networking/LwipEthernet/Lwip/src/netif/ppp/eap.c b/src/Networking/LwipEthernet/Lwip/src/netif/ppp/eap.c index 8fb56368..971f58b9 100644 --- a/src/Networking/LwipEthernet/Lwip/src/netif/ppp/eap.c +++ b/src/Networking/LwipEthernet/Lwip/src/netif/ppp/eap.c @@ -1417,7 +1417,7 @@ static void eap_request(ppp_pcb *pcb, u_char *inp, int id, int len) { } /* Not so likely to happen. */ - if (vallen >= len + sizeof (rhostname)) { + if (len - vallen >= sizeof (rhostname)) { ppp_dbglog("EAP: trimming really long peer name down"); MEMCPY(rhostname, inp + vallen, sizeof (rhostname) - 1); rhostname[sizeof (rhostname) - 1] = '\0'; @@ -1845,7 +1845,7 @@ static void eap_response(ppp_pcb *pcb, u_char *inp, int id, int len) { } /* Not so likely to happen. */ - if (vallen >= len + sizeof (rhostname)) { + if (len - vallen >= sizeof (rhostname)) { ppp_dbglog("EAP: trimming really long peer name down"); MEMCPY(rhostname, inp + vallen, sizeof (rhostname) - 1); rhostname[sizeof (rhostname) - 1] = '\0'; |