espressif/esp-lwip
1
0
Fork 0
mirror of https://github.com/espressif/esp-lwip.git synced 2026-06-05 21:04:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

ppp: Fix potential array overflow

Browse Source 
`vallen` is verified to be less than `len`, therefore, it can never
be the case that `vallen >= len + sizeof(rhostname)`.

This PR fixes the check so the `rhostname` array does not overflow.

Reported-by: Github Security Lab <securitylab@github.com>
Signed-off-by: Alvaro Muñoz <pwntester@github.com>
Ref IDF-4847
This commit is contained in:
Github Security Lab
2020-03-06 23:25:17 +01:00
committed by David Cermak
parent 66666948f9
commit c35e4d32f9
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/netif/ppp/eap.c
+2 -2
View File
@@ -1417,7 +1417,7 @@ static void eap_request(ppp_pcb *pcb, u_char *inp, int id, int len) {
}
/* Not so likely to happen. */
if (vallen >= len + sizeof (rhostname)) {
if (len - vallen >= sizeof (rhostname)) {
ppp_dbglog("EAP: trimming really long peer name down");
MEMCPY(rhostname, inp + vallen, sizeof (rhostname) - 1);
rhostname[sizeof (rhostname) - 1] = '\0';
@@ -1845,7 +1845,7 @@ static void eap_response(ppp_pcb *pcb, u_char *inp, int id, int len) {
}
/* Not so likely to happen. */
if (vallen >= len + sizeof (rhostname)) {
if (len - vallen >= sizeof (rhostname)) {
ppp_dbglog("EAP: trimming really long peer name down");
MEMCPY(rhostname, inp + vallen, sizeof (rhostname) - 1);
rhostname[sizeof (rhostname) - 1] = '\0';