From: Paul Mackerras Date: Fri, 1 Aug 2014 06:05:42 +0000 (+1000) Subject: pppd: Eliminate potential integer overflow in option parsing X-Git-Tag: ppp-2.4.7~5 X-Git-Url: http://git.ozlabs.org/?p=ppp.git;a=commitdiff_plain;h=7658e8257183f062dc01f87969c140707c7e52cb pppd: Eliminate potential integer overflow in option parsing When we are reading in a word from an options file, we maintain a count of the length we have seen so far in 'len', which is an int. When len exceeds MAXWORDLEN - 1 (i.e. 1023) we cease storing characters in the buffer but we continue to increment len. Since len is an int, it will wrap around to -2147483648 after it reaches 2147483647. At that point our test of (len < MAXWORDLEN-1) will succeed and we will start writing characters to memory again. This may enable an attacker to overwrite the heap and thereby corrupt security-relevant variables. For this reason it has been assigned a CVE identifier, CVE-2014-3158. This fixes the bug by ceasing to increment len once it reaches MAXWORDLEN. Reported-by: Lee Campbell Signed-off-by: Paul Mackerras --- diff --git a/pppd/options.c b/pppd/options.c index 45fa742..e9042d1 100644 --- a/pppd/options.c +++ b/pppd/options.c @@ -1289,9 +1289,10 @@ getword(f, word, newlinep, filename) /* * Store the resulting character for the escape sequence. */ - if (len < MAXWORDLEN-1) + if (len < MAXWORDLEN) { word[len] = value; - ++len; + ++len; + } if (!got) c = getc(f); @@ -1329,9 +1330,10 @@ getword(f, word, newlinep, filename) /* * An ordinary character: store it in the word and get another. */ - if (len < MAXWORDLEN-1) + if (len < MAXWORDLEN) { word[len] = c; - ++len; + ++len; + } c = getc(f); }