pppdump: Avoid out-of-range access to packet buffer

This fixes a potential vulnerability where data is written to spkt.buf
and rpkt.buf without a check on the array index.  To fix this, we
check the array index (pkt->cnt) before storing the byte or
incrementing the count.  This also means we no longer have a potential
signed integer overflow on the increment of pkt->cnt.

Fortunately, pppdump is not used in the normal process of setting up a
PPP connection, is not installed setuid-root, and is not invoked
automatically in any scenario that I am aware of.

Signed-off-by: Paul Mackerras <paulus@ozlabs.org>

diff --git a/pppdump/pppdump.c b/pppdump/pppdump.c
index 2b815fc9b50e41fcd2ec8c0d2a0ad93120a4aaf3..b85a86271edacafcbae3f7329bce4e08bf5b0b94 100644 (file)
--- a/pppdump/pppdump.c
+++ b/pppdump/pppdump.c
@@ -297,6 +297,10 @@ dumpppp(f)
                            printf("%s aborted packet:\n     ", dir);
                            q = "    ";
                        }
+                       if (pkt->cnt >= sizeof(pkt->buf)) {
+                           printf("%s over-long packet truncated:\n     ", dir);
+                           q = "    ";
+                       }
                        nb = pkt->cnt;
                        p = pkt->buf;
                        pkt->cnt = 0;
@@ -400,7 +404,8 @@ dumpppp(f)
                        c ^= 0x20;
                        pkt->esc = 0;
                    }
-                   pkt->buf[pkt->cnt++] = c;
+                   if (pkt->cnt < sizeof(pkt->buf))
+                       pkt->buf[pkt->cnt++] = c;
                    break;
                }
            }