blob: c8cebe3d63db3dc9d8e9a265fea753e82b5cdd24 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
Fix buffer overflow in rc_mksid()
rc_mksid converts the PID of pppd to hex to generate a pseudo-unique string.
If the process id is bigger than 65535 (FFFF), its hex representation will be
longer than 4 characters, resulting in a buffer overflow.
The bug can be exploited to cause a remote DoS.
--- ppp-2.4.7/pppd/plugins/radius/util.c
+++ ppp-2.4.7/pppd/plugins/radius/util.c
@@ -77,7 +77,7 @@ rc_mksid (void)
static unsigned short int cnt = 0;
sprintf (buf, "%08lX%04X%02hX",
(unsigned long int) time (NULL),
- (unsigned int) getpid (),
+ (unsigned int) getpid () & 0xFFFF,
cnt & 0xFF);
cnt++;
return buf;
|