`vallen` is verified to be less than `len`, therefore, it can never
authorGithub Security Lab <securitylab@github.com>
Fri, 6 Mar 2020 15:41:14 +0000 (16:41 +0100)
committerLukas Humbel <lukas.humbel@inf.ethz.ch>
Wed, 18 Mar 2020 13:20:36 +0000 (14:20 +0100)
be the case that `vallen >= len + sizeof(rhostname)`.

This PR fixes the check so the `rhostname` array does not overflow.

Reported-by: Github Security Lab <securitylab@github.com>
Signed-off-by: Alvaro Muñoz <pwntester@github.com>

include/lwip2/netif/ppp/eap.c
lib/lwip2/src/netif/ppp/eap.c

index 8fb5636..971f58b 100644 (file)
@@ -1417,7 +1417,7 @@ static void eap_request(ppp_pcb *pcb, u_char *inp, int id, int len) {
                }
 
                /* Not so likely to happen. */
-               if (vallen >= len + sizeof (rhostname)) {
+               if (len - vallen >= sizeof (rhostname)) {
                        ppp_dbglog("EAP: trimming really long peer name down");
                        MEMCPY(rhostname, inp + vallen, sizeof (rhostname) - 1);
                        rhostname[sizeof (rhostname) - 1] = '\0';
@@ -1845,7 +1845,7 @@ static void eap_response(ppp_pcb *pcb, u_char *inp, int id, int len) {
                }
 
                /* Not so likely to happen. */
-               if (vallen >= len + sizeof (rhostname)) {
+               if (len - vallen >= sizeof (rhostname)) {
                        ppp_dbglog("EAP: trimming really long peer name down");
                        MEMCPY(rhostname, inp + vallen, sizeof (rhostname) - 1);
                        rhostname[sizeof (rhostname) - 1] = '\0';
index 8fb5636..971f58b 100644 (file)
@@ -1417,7 +1417,7 @@ static void eap_request(ppp_pcb *pcb, u_char *inp, int id, int len) {
                }
 
                /* Not so likely to happen. */
-               if (vallen >= len + sizeof (rhostname)) {
+               if (len - vallen >= sizeof (rhostname)) {
                        ppp_dbglog("EAP: trimming really long peer name down");
                        MEMCPY(rhostname, inp + vallen, sizeof (rhostname) - 1);
                        rhostname[sizeof (rhostname) - 1] = '\0';
@@ -1845,7 +1845,7 @@ static void eap_response(ppp_pcb *pcb, u_char *inp, int id, int len) {
                }
 
                /* Not so likely to happen. */
-               if (vallen >= len + sizeof (rhostname)) {
+               if (len - vallen >= sizeof (rhostname)) {
                        ppp_dbglog("EAP: trimming really long peer name down");
                        MEMCPY(rhostname, inp + vallen, sizeof (rhostname) - 1);
                        rhostname[sizeof (rhostname) - 1] = '\0';