Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org --- lfs/ppp | 1 + ....8-pppd-fix-bounds-check-in-eap-code.patch | 35 +++++++++++++++++++ 2 files changed, 36 insertions(+) create mode 100644 src/patches/ppp/ppp-2.4.8-pppd-fix-bounds-check-in-eap-code.patch
diff --git a/lfs/ppp b/lfs/ppp index 607765bd0..cbac95067 100644 --- a/lfs/ppp +++ b/lfs/ppp @@ -79,6 +79,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/ppp-2.4.6-increase-max-padi-attempts.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/ppp-2.4.7-headers_4.9.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/ppp-2.4.8-pppd-fix-bounds-check-in-eap-code.patch cd $(DIR_APP) && sed -i -e "s+/etc/ppp/connect-errors+/var/log/connect-errors+" pppd/pathnames.h cd $(DIR_APP) && ./configure --prefix=/usr --disable-nls cd $(DIR_APP) && make $(MAKETUNING) CC="gcc" RPM_OPT_FLAGS="$(CFLAGS)" diff --git a/src/patches/ppp/ppp-2.4.8-pppd-fix-bounds-check-in-eap-code.patch b/src/patches/ppp/ppp-2.4.8-pppd-fix-bounds-check-in-eap-code.patch new file mode 100644 index 000000000..858769f48 --- /dev/null +++ b/src/patches/ppp/ppp-2.4.8-pppd-fix-bounds-check-in-eap-code.patch @@ -0,0 +1,35 @@ +commit 8d7970b8f3db727fe798b65f3377fe6787575426 +Author: Paul Mackerras paulus@ozlabs.org +Date: Mon Feb 3 15:53:28 2020 +1100 + + pppd: Fix bounds check in EAP code + + Given that we have just checked vallen < len, it can never be the case + that vallen >= len + sizeof(rhostname). This fixes the check so we + actually avoid overflowing the rhostname array. + + Reported-by: Ilja Van Sprundel ivansprundel@ioactive.com + Signed-off-by: Paul Mackerras paulus@ozlabs.org + +diff --git a/pppd/eap.c b/pppd/eap.c +index 94407f5..1b93db0 100644 +--- a/pppd/eap.c ++++ b/pppd/eap.c +@@ -1420,7 +1420,7 @@ int len; + } + + /* Not so likely to happen. */ +- if (vallen >= len + sizeof (rhostname)) { ++ if (len - vallen >= sizeof (rhostname)) { + dbglog("EAP: trimming really long peer name down"); + BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1); + rhostname[sizeof (rhostname) - 1] = '\0'; +@@ -1846,7 +1846,7 @@ int len; + } + + /* Not so likely to happen. */ +- if (vallen >= len + sizeof (rhostname)) { ++ if (len - vallen >= sizeof (rhostname)) { + dbglog("EAP: trimming really long peer name down"); + BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1); + rhostname[sizeof (rhostname) - 1] = '\0';