Merge pull request #6 from ghsecuritylab/fix/GSL/prevent_rhostname_overflow

[SECURITY] Prevent `rhostname` array overflow
2024-12-04 12:10:28 +00:00 · 2020-03-09 15:05:28 -04:00 · 2020-03-09 15:05:28 -04:00 · 550db43b89
commit 550db43b89
parent 76247cfc7a ebb1e6228b
1 changed files with 2 additions and 2 deletions
--- a/component/common/network/lwip/lwip_v1.5.0.beta/src/netif/ppp/eap.c
+++ b/component/common/network/lwip/lwip_v1.5.0.beta/src/netif/ppp/eap.c
@ -1445,7 +1445,7 @@ static void eap_request(ppp_pcb *pcb, u_char *inp, int id, int len) {
 		}
 		/* Not so likely to happen. */
-		if (vallen >= len + sizeof (rhostname)) {
+		if (len - vallen >= sizeof (rhostname)) {
 			ppp_dbglog("EAP: trimming really long peer name down");
 			MEMCPY(rhostname, inp + vallen, sizeof (rhostname) - 1);
 			rhostname[sizeof (rhostname) - 1] = '\0';
@ -1876,7 +1876,7 @@ static void eap_response(ppp_pcb *pcb, u_char *inp, int id, int len) {
 		}
 		/* Not so likely to happen. */
-		if (vallen >= len + sizeof (rhostname)) {
+		if (len - vallen >= sizeof (rhostname)) {
 			ppp_dbglog("EAP: trimming really long peer name down");
 			MEMCPY(rhostname, inp + vallen, sizeof (rhostname) - 1);
 			rhostname[sizeof (rhostname) - 1] = '\0';