diff options
author | jsg <jsg@openbsd.org> | 2014-12-10 03:39:54 +0000 |
---|---|---|
committer | jsg <jsg@openbsd.org> | 2014-12-10 03:39:54 +0000 |
commit | e1b9311f941df1f2b349db8b649c15f500315ee5 (patch) | |
tree | 0460caa4cd64ecbb5e0f498acb6f38fbb6510a26 /usr.sbin/pppd | |
parent | Some sort regress test fixes. cksum no longer supports -o2. (diff) | |
download | wireguard-openbsd-e1b9311f941df1f2b349db8b649c15f500315ee5.tar.xz wireguard-openbsd-e1b9311f941df1f2b349db8b649c15f500315ee5.zip |
Fix a potential integer overflow in pppd options file parsing.
From Paul Mackerras in 7658e8257183f062dc01f87969c140707c7e52cb
This issue is CVE-2014-3158.
Diffstat (limited to 'usr.sbin/pppd')
-rw-r--r-- | usr.sbin/pppd/options.c | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/usr.sbin/pppd/options.c b/usr.sbin/pppd/options.c index 689c9b6c1f0..99c29d8e10f 100644 --- a/usr.sbin/pppd/options.c +++ b/usr.sbin/pppd/options.c @@ -1,4 +1,4 @@ -/* $OpenBSD: options.c,v 1.26 2013/10/27 18:49:25 guenther Exp $ */ +/* $OpenBSD: options.c,v 1.27 2014/12/10 03:39:54 jsg Exp $ */ /* * options.c - handles option processing for PPP. @@ -889,9 +889,10 @@ getword(f, word, newlinep, filename) /* * Store the resulting character for the escape sequence. */ - if (len < MAXWORDLEN-1) + if (len < MAXWORDLEN) { word[len] = value; - ++len; + ++len; + } if (!got) c = getc(f); @@ -924,9 +925,10 @@ getword(f, word, newlinep, filename) /* * An ordinary character: store it in the word and get another. */ - if (len < MAXWORDLEN-1) + if (len < MAXWORDLEN) { word[len] = c; - ++len; + ++len; + } c = getc(f); } |