From b311e98b1d4775f7db36b81697ed8996809f3639 Mon Sep 17 00:00:00 2001
From: Paul Mackerras <paulus@ozlabs.org>
Date: Mon, 30 Dec 2019 09:24:54 +1100
Subject: [PATCH] pppd: Limit memory accessed by string formats with max length
 specified

Currently, calls to [v]slprintf that have a string format (%s, %v,
%q) with a maximum length specified (e.g. %.20s) do a strlen() on
the string, and can therefore access memory beyond the maximum
length specified.  If the string is not null-terminated, this could
result in an out-of-bounds read.

This makes vslprintf use strnlen() in cases where a maximum length
has been specified, so that we don't access the string beyond the
maximum length that was given.

Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
---
 pppd/utils.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/pppd/utils.c b/pppd/utils.c
index 12ae21a..2cc0e91 100644
--- a/pppd/utils.c
+++ b/pppd/utils.c
@@ -300,9 +300,10 @@ vslprintf(buf, buflen, fmt, args)
 	    if (fillch == '0' && prec >= 0) {
 		n = prec;
 	    } else {
-		n = strlen((char *)p);
-		if (prec >= 0 && n > prec)
-		    n = prec;
+		if (prec == -1)
+		    n = strlen((char *)p);
+		else
+		    n = strnlen((char *)p, prec);
 	    }
 	    while (n > 0 && buflen > 0) {
 		c = *p++;
@@ -385,9 +386,10 @@ vslprintf(buf, buflen, fmt, args)
 	    }
 	    len = num + sizeof(num) - 1 - str;
 	} else {
-	    len = strlen(str);
-	    if (prec >= 0 && len > prec)
-		len = prec;
+	    if (prec == -1)
+		len = strlen(str);
+	    else
+		len = strnlen(str, prec);
 	}
 	if (width > 0) {
 	    if (width > buflen)
-- 
2.39.2