From b438a0d6fd008753839235f034be89d47e6c2d88 Mon Sep 17 00:00:00 2001
From: Sylvain Rochet <gradator@gradator.net>
Date: Sat, 2 Jul 2016 16:20:57 +0200
Subject: [PATCH] PPP, PPPoE: fix potential out-of-bound if AC cookie is too
 long

Found by coverity.

Introduced by c0e7d54e37 "Removed 2 mem_mallocs: error string can be a
global variable, include memory for sc_ac_cookie in struct pppoe_softc;
commented out unused code (sc_service_name/sc_concentrator_name)".

Fixes it by bailing out if received AC cookie is to big for us, this
can't really happen anyway.
---
 src/netif/ppp/pppoe.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/netif/ppp/pppoe.c b/src/netif/ppp/pppoe.c
index 41f62013..0d974765 100644
--- a/src/netif/ppp/pppoe.c
+++ b/src/netif/ppp/pppoe.c
@@ -470,6 +470,10 @@ pppoe_disc_input(struct netif *netif, struct pbuf *pb)
         break;
       case PPPOE_TAG_ACCOOKIE:
         if (ac_cookie == NULL) {
+          if (len > PPPOE_MAX_AC_COOKIE_LEN) {
+            PPPDEBUG(LOG_DEBUG, ("pppoe: AC cookie is too long: len = %d, max = %d\n", len, PPPOE_MAX_AC_COOKIE_LEN));
+            goto done;
+          }
           ac_cookie = (u8_t*)pb->payload + off + sizeof(pt);
           ac_cookie_len = len;
         }