From 7060ac7c505e685bebca05eb14fa1d9550364051 Mon Sep 17 00:00:00 2001
From: Simon Arlott <70171+nomis@users.noreply.github.com>
Date: Tue, 8 Apr 2025 08:14:51 +0100
Subject: [PATCH] pppd: Fix potential buffer overflow in
 lcp_rtt_update_buffer() (#554)

It's possible for ring_header[2] to be modified by another process when
reading it twice through a volatile pointer, causing it to change from a
small value (which doesn't need to wrap around) to a large value which
would exceed the size of the buffer.

Signed-off-by: Simon Arlott <git@sa.me.uk>
Co-authored-by: Simon Arlott <git@sa.me.uk>
---
 pppd/lcp.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/pppd/lcp.c b/pppd/lcp.c
index 0876b8a..4fba1c4 100644
--- a/pppd/lcp.c
+++ b/pppd/lcp.c
@@ -2278,10 +2278,11 @@ lcp_rtt_update_buffer (unsigned long rtt)
     unsigned int next_entry, lost;
 
     /* choose the next entry where the data will be stored */
-    if (ntohl(ring_header[2]) >= (LCP_RTT_ELEMENTS - 1) * 2)
+    next_entry = ntohl(ring_header[2]);
+    if (next_entry >= (LCP_RTT_ELEMENTS - 1) * 2)
 	next_entry = 0;				/* go back to the beginning */
     else
-	next_entry = ntohl(ring_header[2]) + 2;	/* use the next one */
+	next_entry += 2;			/* use the next one */
 
     /* update the data element */
     /* storing the timestamp in an *unsigned* long allows dates up to 2106 */
-- 
2.47.2