mirror of
https://github.com/pvvx/RTL00_WEB.git
synced 2024-11-25 15:34:20 +00:00
vallen
is verified to be less than len
, therefore, it can never
be the case that `vallen >= len + sizeof(rhostname)`. This PR fixes the check so the `rhostname` array does not overflow. Reported-by: Github Security Lab <securitylab@github.com> Signed-off-by: Alvaro Muñoz <pwntester@github.com>
This commit is contained in:
parent
a999e4c2fd
commit
6970636256
1 changed files with 2 additions and 2 deletions
|
@ -1445,7 +1445,7 @@ static void eap_request(ppp_pcb *pcb, u_char *inp, int id, int len) {
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Not so likely to happen. */
|
/* Not so likely to happen. */
|
||||||
if (vallen >= len + sizeof (rhostname)) {
|
if (len - vallen >= sizeof (rhostname)) {
|
||||||
ppp_dbglog("EAP: trimming really long peer name down");
|
ppp_dbglog("EAP: trimming really long peer name down");
|
||||||
MEMCPY(rhostname, inp + vallen, sizeof (rhostname) - 1);
|
MEMCPY(rhostname, inp + vallen, sizeof (rhostname) - 1);
|
||||||
rhostname[sizeof (rhostname) - 1] = '\0';
|
rhostname[sizeof (rhostname) - 1] = '\0';
|
||||||
|
@ -1876,7 +1876,7 @@ static void eap_response(ppp_pcb *pcb, u_char *inp, int id, int len) {
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Not so likely to happen. */
|
/* Not so likely to happen. */
|
||||||
if (vallen >= len + sizeof (rhostname)) {
|
if (len - vallen >= sizeof (rhostname)) {
|
||||||
ppp_dbglog("EAP: trimming really long peer name down");
|
ppp_dbglog("EAP: trimming really long peer name down");
|
||||||
MEMCPY(rhostname, inp + vallen, sizeof (rhostname) - 1);
|
MEMCPY(rhostname, inp + vallen, sizeof (rhostname) - 1);
|
||||||
rhostname[sizeof (rhostname) - 1] = '\0';
|
rhostname[sizeof (rhostname) - 1] = '\0';
|
||||||
|
|
Loading…
Reference in a new issue