summaryrefslogtreecommitdiff
path: root/usr.sbin
diff options
context:
space:
mode:
authorOwain Ainsworth <oga@cvs.openbsd.org>2009-12-11 18:17:10 +0000
committerOwain Ainsworth <oga@cvs.openbsd.org>2009-12-11 18:17:10 +0000
commit28a117204de86b787eec1dc56addbdf447dea843 (patch)
tree1f7980bdf9cd0b8cf12f1f2474d50fc44fb2ae01 /usr.sbin
parent9e1c58b7454c5112830693613d801288510b7e6e (diff)
Buffer overflow when padding the password buffer to a 16 byte boundary.
found by parfait. Miod again pointed out my mistakes (ppp obviously doesn't sit well with me). ok miod@
Diffstat (limited to 'usr.sbin')
-rw-r--r--usr.sbin/ppp/ppp/radlib.c11
1 files changed, 8 insertions, 3 deletions
diff --git a/usr.sbin/ppp/ppp/radlib.c b/usr.sbin/ppp/ppp/radlib.c
index e7038ded2a7..ea8fe638b2f 100644
--- a/usr.sbin/ppp/ppp/radlib.c
+++ b/usr.sbin/ppp/ppp/radlib.c
@@ -23,7 +23,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $OpenBSD: radlib.c,v 1.9 2007/09/25 11:20:34 chl Exp $
+ * $OpenBSD: radlib.c,v 1.10 2009/12/11 18:17:09 oga Exp $
*/
#include <sys/types.h>
@@ -182,8 +182,13 @@ put_password_attr(struct rad_handle *h, int type, const void *value, size_t len)
}
if (len > PASSSIZE)
len = PASSSIZE;
- padded_len = len == 0 ? 16 : (len+15) & ~0xf;
- pad_len = padded_len - len;
+ if (len % 16)
+ pad_len = 16 - (len % 16);
+ else if (len == 0)
+ pad_len = 16;
+ else
+ pad_len = 0;
+ padded_len = len + pad_len;
/*
* Put in a place-holder attribute containing all zeros, and