From d896af655c4e2d745944650d270f3f44b1afc0d6 Mon Sep 17 00:00:00 2001 From: Emanuele Rocca Date: Sat, 14 May 2022 02:43:52 +0800 Subject: [PATCH] Fix buffer overflow in rc_mksid() rc_mksid converts the PID of pppd to hex to generate a pseudo-unique string. If the process id is bigger than 65535 (FFFF), its hex representation will be longer than 4 characters, resulting in a buffer overflow. The bug can be exploited to cause a remote DoS. Bug-Debian: https://bugs.debian.org/782450 Last-Update: <2015-04-14> Gbp-Pq: Name rc_mksid-no-buffer-overflow --- pppd/plugins/radius/util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pppd/plugins/radius/util.c b/pppd/plugins/radius/util.c index 6f976a7..166bd5f 100644 --- a/pppd/plugins/radius/util.c +++ b/pppd/plugins/radius/util.c @@ -77,7 +77,7 @@ rc_mksid (void) static unsigned short int cnt = 0; sprintf (buf, "%08lX%04X%02hX", (unsigned long int) time (NULL), - (unsigned int) getpid (), + (unsigned int) getpid () % 65535, cnt & 0xFF); cnt++; return buf;