pppd: Limit memory accessed by string formats with max length specified

Currently, calls to [v]slprintf that have a string format (%s, %v,
%q) with a maximum length specified (e.g. %.20s) do a strlen() on
the string, and can therefore access memory beyond the maximum
length specified.  If the string is not null-terminated, this could
result in an out-of-bounds read.

This makes vslprintf use strnlen() in cases where a maximum length
has been specified, so that we don't access the string beyond the
maximum length that was given.

Signed-off-by: Paul Mackerras <paulus@ozlabs.org>

diff --git a/pppd/utils.c b/pppd/utils.c
index 12ae21aec54214dde3cd013eaf54956e36e0ebd9..2cc0e9110f9383105e9b9c85333a269c1cb20d44 100644 (file)
--- a/pppd/utils.c
+++ b/pppd/utils.c
@@ -300,9 +300,10 @@ vslprintf(buf, buflen, fmt, args)
            if (fillch == '0' && prec >= 0) {
                n = prec;
            } else {
-               n = strlen((char *)p);
-               if (prec >= 0 && n > prec)
-                   n = prec;
+               if (prec == -1)
+                   n = strlen((char *)p);
+               else
+                   n = strnlen((char *)p, prec);
            }
            while (n > 0 && buflen > 0) {
                c = *p++;
@@ -385,9 +386,10 @@ vslprintf(buf, buflen, fmt, args)
            }
            len = num + sizeof(num) - 1 - str;
        } else {
-           len = strlen(str);
-           if (prec >= 0 && len > prec)
-               len = prec;
+           if (prec == -1)
+               len = strlen(str);
+           else
+               len = strnlen(str, prec);
        }
        if (width > 0) {
            if (width > buflen)