59 lines
1.7 KiB
Diff
59 lines
1.7 KiB
Diff
|
From 7658e8257183f062dc01f87969c140707c7e52cb Mon Sep 17 00:00:00 2001
|
||
|
From: Paul Mackerras <paulus@samba.org>
|
||
|
Date: Fri, 1 Aug 2014 16:05:42 +1000
|
||
|
Subject: [PATCH] pppd: Eliminate potential integer overflow in option parsing
|
||
|
|
||
|
When we are reading in a word from an options file, we maintain a count
|
||
|
of the length we have seen so far in 'len', which is an int. When len
|
||
|
exceeds MAXWORDLEN - 1 (i.e. 1023) we cease storing characters in the
|
||
|
buffer but we continue to increment len. Since len is an int, it will
|
||
|
wrap around to -2147483648 after it reaches 2147483647. At that point
|
||
|
our test of (len < MAXWORDLEN-1) will succeed and we will start writing
|
||
|
characters to memory again.
|
||
|
|
||
|
This may enable an attacker to overwrite the heap and thereby corrupt
|
||
|
security-relevant variables. For this reason it has been assigned a
|
||
|
CVE identifier, CVE-2014-3158.
|
||
|
|
||
|
This fixes the bug by ceasing to increment len once it reaches MAXWORDLEN.
|
||
|
|
||
|
Reported-by: Lee Campbell <leecam@google.com>
|
||
|
Signed-off-by: Paul Mackerras <paulus@samba.org>
|
||
|
---
|
||
|
pppd/options.c | 10 ++++++----
|
||
|
1 file changed, 6 insertions(+), 4 deletions(-)
|
||
|
|
||
|
diff --git a/pppd/options.c b/pppd/options.c
|
||
|
index 45fa742..e9042d1 100644
|
||
|
--- a/pppd/options.c
|
||
|
+++ b/pppd/options.c
|
||
|
@@ -1289,9 +1289,10 @@ getword(f, word, newlinep, filename)
|
||
|
/*
|
||
|
* Store the resulting character for the escape sequence.
|
||
|
*/
|
||
|
- if (len < MAXWORDLEN-1)
|
||
|
+ if (len < MAXWORDLEN) {
|
||
|
word[len] = value;
|
||
|
- ++len;
|
||
|
+ ++len;
|
||
|
+ }
|
||
|
|
||
|
if (!got)
|
||
|
c = getc(f);
|
||
|
@@ -1329,9 +1330,10 @@ getword(f, word, newlinep, filename)
|
||
|
/*
|
||
|
* An ordinary character: store it in the word and get another.
|
||
|
*/
|
||
|
- if (len < MAXWORDLEN-1)
|
||
|
+ if (len < MAXWORDLEN) {
|
||
|
word[len] = c;
|
||
|
- ++len;
|
||
|
+ ++len;
|
||
|
+ }
|
||
|
|
||
|
c = getc(f);
|
||
|
}
|
||
|
--
|
||
|
1.8.3.1
|
||
|
|