diff options
author | Jakub Janeczko | 2020-07-29 21:04:34 +0200 |
---|---|---|
committer | Jakub Janeczko | 2020-07-29 21:15:02 +0200 |
commit | ad397c2832e9f389b38016b38a90ebb66502cf47 (patch) | |
tree | ca5a65fbc129a696713aa9e0e26129725656625a /CVE-2020-8597.patch | |
download | aur-ad397c2832e9f389b38016b38a90ebb66502cf47.tar.gz |
Initial commit
Diffstat (limited to 'CVE-2020-8597.patch')
-rw-r--r-- | CVE-2020-8597.patch | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/CVE-2020-8597.patch b/CVE-2020-8597.patch new file mode 100644 index 000000000000..699cf9b6d846 --- /dev/null +++ b/CVE-2020-8597.patch @@ -0,0 +1,37 @@ +From 8d7970b8f3db727fe798b65f3377fe6787575426 Mon Sep 17 00:00:00 2001
+From: Paul Mackerras <paulus@ozlabs.org>
+Date: Mon, 3 Feb 2020 15:53:28 +1100
+Subject: [PATCH] pppd: Fix bounds check in EAP code
+
+Given that we have just checked vallen < len, it can never be the case
+that vallen >= len + sizeof(rhostname). This fixes the check so we
+actually avoid overflowing the rhostname array.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
+---
+ pppd/eap.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/pppd/eap.c b/pppd/eap.c
+index 94407f56..1b93db01 100644
+--- a/pppd/eap.c
++++ b/pppd/eap.c
+@@ -1420,7 +1420,7 @@ int len;
+ }
+
+ /* Not so likely to happen. */
+- if (vallen >= len + sizeof (rhostname)) {
++ if (len - vallen >= sizeof (rhostname)) {
+ dbglog("EAP: trimming really long peer name down");
+ BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1);
+ rhostname[sizeof (rhostname) - 1] = '\0';
+@@ -1846,7 +1846,7 @@ int len;
+ }
+
+ /* Not so likely to happen. */
+- if (vallen >= len + sizeof (rhostname)) {
++ if (len - vallen >= sizeof (rhostname)) {
+ dbglog("EAP: trimming really long peer name down");
+ BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1);
+ rhostname[sizeof (rhostname) - 1] = '\0';
|