This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via 5cbcd514def1b63606d2139634a4f7a31af89205 (commit) from 8d43248794b1abadf6e1c519b79a05bd5e64467c (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 5cbcd514def1b63606d2139634a4f7a31af89205 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Feb 22 15:02:24 2020 +0100
ppp: Add upstream patch to fix bounds check in EAP code.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
-----------------------------------------------------------------------
Summary of changes: lfs/ppp | 1 + ...p-2.4.8-pppd-fix-bounds-check-in-eap-code.patch | 35 ++++++++++++++++++++++ 2 files changed, 36 insertions(+) create mode 100644 src/patches/ppp/ppp-2.4.8-pppd-fix-bounds-check-in-eap-code.patch
Difference in files: diff --git a/lfs/ppp b/lfs/ppp index 607765bd0..cbac95067 100644 --- a/lfs/ppp +++ b/lfs/ppp @@ -79,6 +79,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/ppp-2.4.6-increase-max-padi-attempts.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/ppp-2.4.7-headers_4.9.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/ppp-2.4.8-pppd-fix-bounds-check-in-eap-code.patch cd $(DIR_APP) && sed -i -e "s+/etc/ppp/connect-errors+/var/log/connect-errors+" pppd/pathnames.h cd $(DIR_APP) && ./configure --prefix=/usr --disable-nls cd $(DIR_APP) && make $(MAKETUNING) CC="gcc" RPM_OPT_FLAGS="$(CFLAGS)" diff --git a/src/patches/ppp/ppp-2.4.8-pppd-fix-bounds-check-in-eap-code.patch b/src/patches/ppp/ppp-2.4.8-pppd-fix-bounds-check-in-eap-code.patch new file mode 100644 index 000000000..858769f48 --- /dev/null +++ b/src/patches/ppp/ppp-2.4.8-pppd-fix-bounds-check-in-eap-code.patch @@ -0,0 +1,35 @@ +commit 8d7970b8f3db727fe798b65f3377fe6787575426 +Author: Paul Mackerras paulus@ozlabs.org +Date: Mon Feb 3 15:53:28 2020 +1100 + + pppd: Fix bounds check in EAP code + + Given that we have just checked vallen < len, it can never be the case + that vallen >= len + sizeof(rhostname). This fixes the check so we + actually avoid overflowing the rhostname array. + + Reported-by: Ilja Van Sprundel ivansprundel@ioactive.com + Signed-off-by: Paul Mackerras paulus@ozlabs.org + +diff --git a/pppd/eap.c b/pppd/eap.c +index 94407f5..1b93db0 100644 +--- a/pppd/eap.c ++++ b/pppd/eap.c +@@ -1420,7 +1420,7 @@ int len; + } + + /* Not so likely to happen. */ +- if (vallen >= len + sizeof (rhostname)) { ++ if (len - vallen >= sizeof (rhostname)) { + dbglog("EAP: trimming really long peer name down"); + BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1); + rhostname[sizeof (rhostname) - 1] = '\0'; +@@ -1846,7 +1846,7 @@ int len; + } + + /* Not so likely to happen. */ +- if (vallen >= len + sizeof (rhostname)) { ++ if (len - vallen >= sizeof (rhostname)) { + dbglog("EAP: trimming really long peer name down"); + BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1); + rhostname[sizeof (rhostname) - 1] = '\0';
hooks/post-receive -- IPFire 2.x development tree