pppd: Eliminate potential integer overflow in option parsing

pppd: Eliminate potential integer overflow in option parsing

When we are reading in a word from an options file, we maintain a count
of the length we have seen so far in 'len', which is an int.  When len
exceeds MAXWORDLEN - 1 (i.e. 1023) we cease storing characters in the
buffer but we continue to increment len.  Since len is an int, it will
wrap around to -2147483648 after it reaches 2147483647.  At that point
our test of (len < MAXWORDLEN-1) will succeed and we will start writing
characters to memory again.

This may enable an attacker to overwrite the heap and thereby corrupt
security-relevant variables.  For this reason it has been assigned a
CVE identifier, CVE-2014-3158.

This fixes the bug by ceasing to increment len once it reaches MAXWORDLEN.

Reported-by: Lee Campbell <leecam@google.com>
Signed-off-by: Paul Mackerras <paulus@samba.org>