openkylin
/
ppp
mirror of https://gitee.com/openkylin/ppp.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity

Fix buffer overflow in rc_mksid() 

rc_mksid converts the PID of pppd to hex to generate a pseudo-unique string.

If the process id is bigger than 65535 (FFFF), its hex representation will be
longer than 4 characters, resulting in a buffer overflow.

The bug can be exploited to cause a remote DoS.

Bug-Debian: https://bugs.debian.org/782450
Last-Update: <2015-04-14>

Gbp-Pq: Name rc_mksid-no-buffer-overflow
This commit is contained in:
Emanuele Rocca 2022-05-14 02:43:52 +08:00 committed by openKylinBot
parent c343611431
commit d896af655c
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
pppd/plugins/radius/util.c
View File

@ -77,7 +77,7 @@ rc_mksid (void)
static unsigned short int cnt = 0; static unsigned short int cnt = 0;
sprintf (buf, "%08lX%04X%02hX", sprintf (buf, "%08lX%04X%02hX",
(unsigned long int) time (NULL), (unsigned long int) time (NULL),
(unsigned int) getpid (), (unsigned int) getpid () % 65535,
cnt & 0xFF); cnt & 0xFF);
cnt++; cnt++;
return buf; return buf;