This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via 5cbcd514def1b63606d2139634a4f7a31af89205 (commit)
from 8d43248794b1abadf6e1c519b79a05bd5e64467c (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 5cbcd514def1b63606d2139634a4f7a31af89205
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Sat Feb 22 15:02:24 2020 +0100
ppp: Add upstream patch to fix bounds check in EAP code.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
lfs/ppp | 1 +
...p-2.4.8-pppd-fix-bounds-check-in-eap-code.patch | 35 ++++++++++++++++++++++
2 files changed, 36 insertions(+)
create mode 100644 src/patches/ppp/ppp-2.4.8-pppd-fix-bounds-check-in-eap-code.patch
Difference in files:
diff --git a/lfs/ppp b/lfs/ppp
index 607765bd0..cbac95067 100644
--- a/lfs/ppp
+++ b/lfs/ppp
@@ -79,6 +79,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/ppp-2.4.6-increase-max-padi-attempts.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/ppp-2.4.7-headers_4.9.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/ppp-2.4.8-pppd-fix-bounds-check-in-eap-code.patch
cd $(DIR_APP) && sed -i -e "s+/etc/ppp/connect-errors+/var/log/connect-errors+" pppd/pathnames.h
cd $(DIR_APP) && ./configure --prefix=/usr --disable-nls
cd $(DIR_APP) && make $(MAKETUNING) CC="gcc" RPM_OPT_FLAGS="$(CFLAGS)"
diff --git a/src/patches/ppp/ppp-2.4.8-pppd-fix-bounds-check-in-eap-code.patch b/src/patches/ppp/ppp-2.4.8-pppd-fix-bounds-check-in-eap-code.patch
new file mode 100644
index 000000000..858769f48
--- /dev/null
+++ b/src/patches/ppp/ppp-2.4.8-pppd-fix-bounds-check-in-eap-code.patch
@@ -0,0 +1,35 @@
+commit 8d7970b8f3db727fe798b65f3377fe6787575426
+Author: Paul Mackerras <paulus(a)ozlabs.org>
+Date: Mon Feb 3 15:53:28 2020 +1100
+
+ pppd: Fix bounds check in EAP code
+
+ Given that we have just checked vallen < len, it can never be the case
+ that vallen >= len + sizeof(rhostname). This fixes the check so we
+ actually avoid overflowing the rhostname array.
+
+ Reported-by: Ilja Van Sprundel <ivansprundel(a)ioactive.com>
+ Signed-off-by: Paul Mackerras <paulus(a)ozlabs.org>
+
+diff --git a/pppd/eap.c b/pppd/eap.c
+index 94407f5..1b93db0 100644
+--- a/pppd/eap.c
++++ b/pppd/eap.c
+@@ -1420,7 +1420,7 @@ int len;
+ }
+
+ /* Not so likely to happen. */
+- if (vallen >= len + sizeof (rhostname)) {
++ if (len - vallen >= sizeof (rhostname)) {
+ dbglog("EAP: trimming really long peer name down");
+ BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1);
+ rhostname[sizeof (rhostname) - 1] = '\0';
+@@ -1846,7 +1846,7 @@ int len;
+ }
+
+ /* Not so likely to happen. */
+- if (vallen >= len + sizeof (rhostname)) {
++ if (len - vallen >= sizeof (rhostname)) {
+ dbglog("EAP: trimming really long peer name down");
+ BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1);
+ rhostname[sizeof (rhostname) - 1] = '\0';
hooks/post-receive
--
IPFire 2.x development tree