| From 7658e8257183f062dc01f87969c140707c7e52cb Mon Sep 17 00:00:00 2001 |
| From: Paul Mackerras <paulus@samba.org> |
| Date: Fri, 1 Aug 2014 16:05:42 +1000 |
| Subject: [PATCH] pppd: Eliminate potential integer overflow in option parsing |
| |
| When we are reading in a word from an options file, we maintain a count |
| of the length we have seen so far in 'len', which is an int. When len |
| exceeds MAXWORDLEN - 1 (i.e. 1023) we cease storing characters in the |
| buffer but we continue to increment len. Since len is an int, it will |
| wrap around to -2147483648 after it reaches 2147483647. At that point |
| our test of (len < MAXWORDLEN-1) will succeed and we will start writing |
| characters to memory again. |
| |
| This may enable an attacker to overwrite the heap and thereby corrupt |
| security-relevant variables. For this reason it has been assigned a |
| CVE identifier, CVE-2014-3158. |
| |
| This fixes the bug by ceasing to increment len once it reaches MAXWORDLEN. |
| |
| Reported-by: Lee Campbell <leecam@google.com> |
| Signed-off-by: Paul Mackerras <paulus@samba.org> |
| --- |
| pppd/options.c | 10 ++++++---- |
| 1 file changed, 6 insertions(+), 4 deletions(-) |
| |
| diff --git a/pppd/options.c b/pppd/options.c |
| index 45fa742..e9042d1 100644 |
| --- a/pppd/options.c |
| +++ b/pppd/options.c |
| @@ -1289,9 +1289,10 @@ getword(f, word, newlinep, filename) |
| /* |
| * Store the resulting character for the escape sequence. |
| */ |
| - if (len < MAXWORDLEN-1) |
| + if (len < MAXWORDLEN) { |
| word[len] = value; |
| - ++len; |
| + ++len; |
| + } |
| |
| if (!got) |
| c = getc(f); |
| @@ -1329,9 +1330,10 @@ getword(f, word, newlinep, filename) |
| /* |
| * An ordinary character: store it in the word and get another. |
| */ |
| - if (len < MAXWORDLEN-1) |
| + if (len < MAXWORDLEN) { |
| word[len] = c; |
| - ++len; |
| + ++len; |
| + } |
| |
| c = getc(f); |
| } |
| -- |
| 2.0.0.526.g5318336 |
| |