From: Robert Bartel <r.bartel@gmx.net>
Date: Fri, 10 Mar 2023 18:31:52 +0000 (+0000)
Subject: Fixing buffer overflow issue in chat.c
X-Git-Tag: ppp-2.5.0~12
X-Git-Url: http://git.ozlabs.org/?p=ppp.git;a=commitdiff_plain;h=6292210a9d14c0d947a5c3fb10f0d289815cd24f

Fixing buffer overflow issue in chat.c

There were two issues here, the report_buffer is too small to hold the
value, and accessing the memory outside its bounds. The following fixes
was made:
- Expand the size of report_buffer to 4096 from 256, this is to account
  for handling of really long GSM USSD report strings
- Make sure to not to access memory outside the bounds of the buffer

Signed-off-by: Robert Bartel <r.bartel@gmx.net>
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
---

diff --git a/chat/chat.c b/chat/chat.c
index 0740229..a5bfb9f 100644
--- a/chat/chat.c
+++ b/chat/chat.c
@@ -182,7 +182,7 @@ int n_aborts = 0, abort_next = 0, timeout_next = 0, echo_next = 0;
 int clear_abort_next = 0;
 
 char *report_string[MAX_REPORTS] ;
-char  report_buffer[256] ;
+char  report_buffer[4096] ;
 int n_reports = 0, report_next = 0, report_gathering = 0 ; 
 int clear_report_next = 0;
 
@@ -1419,8 +1419,10 @@ int get_string(register char *string)
 	else {
 	    if (!iscntrl (c)) {
 		int rep_len = strlen (report_buffer);
-		report_buffer[rep_len]     = c;
-		report_buffer[rep_len + 1] = '\0';
+		if ((rep_len + 1) < sizeof(report_buffer)) {
+		    report_buffer[rep_len]     = c;
+		    report_buffer[rep_len + 1] = '\0';
+		}
 	    }
 	    else {
 		report_gathering = 0;