pppd: Eliminate potential integer overflow in option parsing

When we are reading in a word from an options file, we maintain a count of the length we have seen so far in 'len', which is an int. When len exceeds MAXWORDLEN - 1 (i.e. 1023) we cease storing characters in the buffer but we continue to increment len. Since len is an int, it will wrap around to -2147483648 after it reaches 2147483647. At that point our test of (len < MAXWORDLEN-1) will succeed and we will start writing characters to memory again. This may enable an attacker to overwrite the heap and thereby corrupt security-relevant variables. For this reason it has been assigned a CVE identifier, CVE-2014-3158. This fixes the bug by ceasing to increment len once it reaches MAXWORDLEN. Reported-by: Lee Campbell <leecam@google.com> Signed-off-by: Paul Mackerras <paulus@samba.org>
ppp-project · Aug 1, 2014 · 7658e82 · 7658e82
1 parent 880a81b
commit 7658e82
Showing 1 changed file with 6 additions and 4 deletions.
diff --git a/pppd/options.c b/pppd/options.c
@@ -1289,9 +1289,10 @@ getword(f, word, newlinep, filename)
 	    /*
 	     * Store the resulting character for the escape sequence.
 	     */
-	    if (len < MAXWORDLEN-1)
+	    if (len < MAXWORDLEN) {
 		word[len] = value;
-	    ++len;
+		++len;
+	    }
 
 	    if (!got)
 		c = getc(f);
@@ -1329,9 +1330,10 @@ getword(f, word, newlinep, filename)
 	/*
 	 * An ordinary character: store it in the word and get another.
 	 */
-	if (len < MAXWORDLEN-1)
+	if (len < MAXWORDLEN) {
 	    word[len] = c;
-	++len;
+	    ++len;
+	}
 
 	c = getc(f);
     }