vallen is verified to be less than len, therefore, it can never

be the case that `vallen >= len + sizeof(rhostname)`.

This PR fixes the check so the `rhostname` array does not overflow.

Reported-by: Github Security Lab <securitylab@github.com>
Signed-off-by: Alvaro Muñoz <pwntester@github.com>
This commit is contained in:
Github Security Lab 2020-03-08 00:46:23 +01:00
parent 28cd8da44d
commit 3ced11227f

View file

@ -1445,7 +1445,7 @@ static void eap_request(ppp_pcb *pcb, u_char *inp, int id, int len) {
} }
/* Not so likely to happen. */ /* Not so likely to happen. */
if (vallen >= len + sizeof (rhostname)) { if (len - vallen >= sizeof (rhostname)) {
ppp_dbglog("EAP: trimming really long peer name down"); ppp_dbglog("EAP: trimming really long peer name down");
MEMCPY(rhostname, inp + vallen, sizeof (rhostname) - 1); MEMCPY(rhostname, inp + vallen, sizeof (rhostname) - 1);
rhostname[sizeof (rhostname) - 1] = '\0'; rhostname[sizeof (rhostname) - 1] = '\0';
@ -1876,7 +1876,7 @@ static void eap_response(ppp_pcb *pcb, u_char *inp, int id, int len) {
} }
/* Not so likely to happen. */ /* Not so likely to happen. */
if (vallen >= len + sizeof (rhostname)) { if (len - vallen >= sizeof (rhostname)) {
ppp_dbglog("EAP: trimming really long peer name down"); ppp_dbglog("EAP: trimming really long peer name down");
MEMCPY(rhostname, inp + vallen, sizeof (rhostname) - 1); MEMCPY(rhostname, inp + vallen, sizeof (rhostname) - 1);
rhostname[sizeof (rhostname) - 1] = '\0'; rhostname[sizeof (rhostname) - 1] = '\0';