pppd: Eliminate potential integer overflow in option parsing

When we are reading in a word from an options file, we maintain a count
of the length we have seen so far in 'len', which is an int.  When len
exceeds MAXWORDLEN - 1 (i.e. 1023) we cease storing characters in the
buffer but we continue to increment len.  Since len is an int, it will
wrap around to -2147483648 after it reaches 2147483647.  At that point
our test of (len < MAXWORDLEN-1) will succeed and we will start writing
characters to memory again.

This may enable an attacker to overwrite the heap and thereby corrupt
security-relevant variables.  For this reason it has been assigned a
CVE identifier, CVE-2014-3158.

This fixes the bug by ceasing to increment len once it reaches MAXWORDLEN.

Reported-by: Lee Campbell <leecam@google.com>
Signed-off-by: Paul Mackerras <paulus@samba.org>

diff --git a/pppd/options.c b/pppd/options.c
index 45fa742cd9ce9d095490ebc68fa199023f8da8cc..e9042d1f64e2b5bbf05c74a91587f049f011c2b8 100644 (file)
--- a/pppd/options.c
+++ b/pppd/options.c
@@ -1289,9 +1289,10 @@ getword(f, word, newlinep, filename)
            /*
             * Store the resulting character for the escape sequence.
             */
-           if (len < MAXWORDLEN-1)
+           if (len < MAXWORDLEN) {
                word[len] = value;
-           ++len;
+               ++len;
+           }
 
            if (!got)
                c = getc(f);
@@ -1329,9 +1330,10 @@ getword(f, word, newlinep, filename)
        /*
         * An ordinary character: store it in the word and get another.
         */
-       if (len < MAXWORDLEN-1)
+       if (len < MAXWORDLEN) {
            word[len] = c;
-       ++len;
+           ++len;
+       }
 
        c = getc(f);
     }