openwrt/package/network/services/ppp/patches/700-radius-Prevent-buffer-overflow-in-rc_mksid.patch

From 858976b1fc3107f1261aae337831959b511b83c2 Mon Sep 17 00:00:00 2001
From: Paul Mackerras <paulus@ozlabs.org>
Date: Sat, 4 Jan 2020 12:01:32 +1100
Subject: [PATCH] radius: Prevent buffer overflow in rc_mksid()

On some systems getpid() can return a value greater than 65535.
Increase the size of buf[] to allow for this, and use slprintf()
to make sure we never overflow it.

Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
---
 pppd/plugins/radius/util.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pppd/plugins/radius/util.c b/pppd/plugins/radius/util.c
index 6f976a712951..740131e8377c 100644
--- a/pppd/plugins/radius/util.c
+++ b/pppd/plugins/radius/util.c
@@ -73,9 +73,9 @@ void rc_mdelay(int msecs)
 char *
 rc_mksid (void)
 {
-  static char buf[15];
+  static char buf[32];
   static unsigned short int cnt = 0;
-  sprintf (buf, "%08lX%04X%02hX",
+  slprintf(buf, sizeof(buf), "%08lX%04X%02hX",
 	   (unsigned long int) time (NULL),
 	   (unsigned int) getpid (),
 	   cnt & 0xFF);
ppp: backport security fixes 8d45443bb5c9 pppd: Ignore received EAP messages when not doing EAP 8d7970b8f3db pppd: Fix bounds check in EAP code 858976b1fc31 radius: Prevent buffer overflow in rc_mksid() Signed-off-by: Petr Štetiar <ynezz@true.cz> (cherry picked from commit 215598fd03899c19a9cd26266221269dd5ec8cee) Fixes: CVE-2020-8597 Signed-off-by: Jo-Philipp Wich <jo@mein.io> 2020-02-20 08:03:54 +00:00			`From 858976b1fc3107f1261aae337831959b511b83c2 Mon Sep 17 00:00:00 2001`
			`From: Paul Mackerras <paulus@ozlabs.org>`
			`Date: Sat, 4 Jan 2020 12:01:32 +1100`
			`Subject: [PATCH] radius: Prevent buffer overflow in rc_mksid()`

			`On some systems getpid() can return a value greater than 65535.`
			`Increase the size of buf[] to allow for this, and use slprintf()`
			`to make sure we never overflow it.`

			`Signed-off-by: Paul Mackerras <paulus@ozlabs.org>`
			`---`
			`pppd/plugins/radius/util.c \| 4 ++--`
			`1 file changed, 2 insertions(+), 2 deletions(-)`

			`diff --git a/pppd/plugins/radius/util.c b/pppd/plugins/radius/util.c`
			`index 6f976a712951..740131e8377c 100644`
			`--- a/pppd/plugins/radius/util.c`
			`+++ b/pppd/plugins/radius/util.c`
			`@@ -73,9 +73,9 @@ void rc_mdelay(int msecs)`
			`char *`
			`rc_mksid (void)`
			`{`
			`- static char buf[15];`
			`+ static char buf[32];`
			`static unsigned short int cnt = 0;`
			`- sprintf (buf, "%08lX%04X%02hX",`
			`+ slprintf(buf, sizeof(buf), "%08lX%04X%02hX",`
			`(unsigned long int) time (NULL),`
			`(unsigned int) getpid (),`
			`cnt & 0xFF);`