pppd: Fix a stack variable overflow in MSCHAP-v2
authorJohn Crispin <blogic@openwrt.org>
Fri, 1 Aug 2014 08:12:36 +0000 (18:12 +1000)
committerPaul Mackerras <paulus@samba.org>
Fri, 1 Aug 2014 11:36:57 +0000 (21:36 +1000)
This fixes a bug introduced in 08ef47ca ("pppd: Make MSCHAP-v2 cope
better with packet loss").

Signed-off-by: Paul Mackerras <paulus@samba.org>
pppd/chap_ms.c

index 016b42e0c10ee9a845a3e96ad8aa55dcb2b0464c..c2bd00f9c6f7ec0e3e3a5dd6b00c4153b6c41d25 100644 (file)
@@ -382,7 +382,7 @@ chapms2_make_response(unsigned char *response, int id, char *our_name,
                      unsigned char *private)
 {
        const struct chapms2_response_cache_entry *cache_entry;
-       unsigned char auth_response[MS_AUTH_RESPONSE_LENGTH];
+       unsigned char auth_response[MS_AUTH_RESPONSE_LENGTH+1];
 
        challenge++;    /* skip length, should be 16 */
        *response++ = MS_CHAP2_RESPONSE_LEN;