From mboxrd@z Thu Jan  1 00:00:00 1970
From: Stefan Schantl <stefan.schantl@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] ppp: Add upstream patch to fix bounds check in EAP code.
Date: Sat, 22 Feb 2020 15:02:24 +0100
Message-ID: <20200222140224.6322-1-stefan.schantl@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============5580487714864578032=="
List-Id: <development.lists.ipfire.org>

--===============5580487714864578032==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
---
 lfs/ppp                                       |  1 +
 ....8-pppd-fix-bounds-check-in-eap-code.patch | 35 +++++++++++++++++++
 2 files changed, 36 insertions(+)
 create mode 100644 src/patches/ppp/ppp-2.4.8-pppd-fix-bounds-check-in-eap-co=
de.patch

diff --git a/lfs/ppp b/lfs/ppp
index 607765bd0..cbac95067 100644
--- a/lfs/ppp
+++ b/lfs/ppp
@@ -79,6 +79,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/0014-everywhere-u=
se-SOCK_CLOEXEC-when-creating-socket.patch
 	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/ppp-2.4.6-increas=
e-max-padi-attempts.patch
 	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/ppp-2.4.7-headers=
_4.9.patch
+	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/ppp-2.4.8-pppd-fi=
x-bounds-check-in-eap-code.patch
 	cd $(DIR_APP) && sed -i -e "s+/etc/ppp/connect-errors+/var/log/connect-erro=
rs+" pppd/pathnames.h
 	cd $(DIR_APP) && ./configure --prefix=3D/usr --disable-nls
 	cd $(DIR_APP) && make $(MAKETUNING) CC=3D"gcc" RPM_OPT_FLAGS=3D"$(CFLAGS)"
diff --git a/src/patches/ppp/ppp-2.4.8-pppd-fix-bounds-check-in-eap-code.patc=
h b/src/patches/ppp/ppp-2.4.8-pppd-fix-bounds-check-in-eap-code.patch
new file mode 100644
index 000000000..858769f48
--- /dev/null
+++ b/src/patches/ppp/ppp-2.4.8-pppd-fix-bounds-check-in-eap-code.patch
@@ -0,0 +1,35 @@
+commit 8d7970b8f3db727fe798b65f3377fe6787575426
+Author: Paul Mackerras <paulus(a)ozlabs.org>
+Date:   Mon Feb 3 15:53:28 2020 +1100
+
+    pppd: Fix bounds check in EAP code
+   =20
+    Given that we have just checked vallen < len, it can never be the case
+    that vallen >=3D len + sizeof(rhostname).  This fixes the check so we
+    actually avoid overflowing the rhostname array.
+   =20
+    Reported-by: Ilja Van Sprundel <ivansprundel(a)ioactive.com>
+    Signed-off-by: Paul Mackerras <paulus(a)ozlabs.org>
+
+diff --git a/pppd/eap.c b/pppd/eap.c
+index 94407f5..1b93db0 100644
+--- a/pppd/eap.c
++++ b/pppd/eap.c
+@@ -1420,7 +1420,7 @@ int len;
+ 		}
+=20
+ 		/* Not so likely to happen. */
+-		if (vallen >=3D len + sizeof (rhostname)) {
++		if (len - vallen >=3D sizeof (rhostname)) {
+ 			dbglog("EAP: trimming really long peer name down");
+ 			BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1);
+ 			rhostname[sizeof (rhostname) - 1] =3D '\0';
+@@ -1846,7 +1846,7 @@ int len;
+ 		}
+=20
+ 		/* Not so likely to happen. */
+-		if (vallen >=3D len + sizeof (rhostname)) {
++		if (len - vallen >=3D sizeof (rhostname)) {
+ 			dbglog("EAP: trimming really long peer name down");
+ 			BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1);
+ 			rhostname[sizeof (rhostname) - 1] =3D '\0';
--=20
2.25.0


--===============5580487714864578032==--