Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
pppd: Eliminate potential integer overflow in option parsing
When we are reading in a word from an options file, we maintain a count of the length we have seen so far in 'len', which is an int. When len exceeds MAXWORDLEN - 1 (i.e. 1023) we cease storing characters in the buffer but we continue to increment len. Since len is an int, it will wrap around to -2147483648 after it reaches 2147483647. At that point our test of (len < MAXWORDLEN-1) will succeed and we will start writing characters to memory again. This may enable an attacker to overwrite the heap and thereby corrupt security-relevant variables. For this reason it has been assigned a CVE identifier, CVE-2014-3158. This fixes the bug by ceasing to increment len once it reaches MAXWORDLEN. Reported-by: Lee Campbell <leecam@google.com> Signed-off-by: Paul Mackerras <paulus@samba.org>
- Loading branch information