From: John Crispin <blogic@openwrt.org>
Date: Fri, 1 Aug 2014 08:12:36 +0000 (+1000)
Subject: pppd: Fix a stack variable overflow in MSCHAP-v2
X-Git-Tag: ppp-2.4.7~3
X-Git-Url: https://git.ozlabs.org/?a=commitdiff_plain;h=36733a891fb56594fcee580f667b33a64b990981;p=ppp.git

pppd: Fix a stack variable overflow in MSCHAP-v2

This fixes a bug introduced in 08ef47ca ("pppd: Make MSCHAP-v2 cope
better with packet loss").

Signed-off-by: Paul Mackerras <paulus@samba.org>
---

diff --git a/pppd/chap_ms.c b/pppd/chap_ms.c
index 016b42e..c2bd00f 100644
--- a/pppd/chap_ms.c
+++ b/pppd/chap_ms.c
@@ -382,7 +382,7 @@ chapms2_make_response(unsigned char *response, int id, char *our_name,
 		      unsigned char *private)
 {
 	const struct chapms2_response_cache_entry *cache_entry;
-	unsigned char auth_response[MS_AUTH_RESPONSE_LENGTH];
+	unsigned char auth_response[MS_AUTH_RESPONSE_LENGTH+1];
 
 	challenge++;	/* skip length, should be 16 */
 	*response++ = MS_CHAP2_RESPONSE_LEN;