abc/lwip
1
0
Fork 0
mirror of https://git.savannah.nongnu.org/git/lwip.git synced 2025-08-04 21:44:38 +08:00
Code Issues Packages Projects Releases Wiki Activity

PPP, PPPoE: fix potential out-of-bound if AC cookie is too long

Browse Source 
Found by coverity.

Introduced by c0e7d54e37 "Removed 2 mem_mallocs: error string can be a
global variable, include memory for sc_ac_cookie in struct pppoe_softc;
commented out unused code (sc_service_name/sc_concentrator_name)".

Fixes it by bailing out if received AC cookie is to big for us, this
can't really happen anyway.
This commit is contained in:
Sylvain Rochet 2016-07-02 16:20:57 +02:00
parent 7c368b7f36
commit b438a0d6fd
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/netif/ppp/pppoe.c
View File

@ -470,6 +470,10 @@ pppoe_disc_input(struct netif *netif, struct pbuf *pb)
break; break;
case PPPOE_TAG_ACCOOKIE: case PPPOE_TAG_ACCOOKIE:
if (ac_cookie == NULL) { if (ac_cookie == NULL) {
if (len > PPPOE_MAX_AC_COOKIE_LEN) {
PPPDEBUG(LOG_DEBUG, ("pppoe: AC cookie is too long: len = %d, max = %d\n", len, PPPOE_MAX_AC_COOKIE_LEN));
goto done;
}
ac_cookie = (u8_t*)pb->payload + off + sizeof(pt); ac_cookie = (u8_t*)pb->payload + off + sizeof(pt);
ac_cookie_len = len; ac_cookie_len = len;
} }