diff options
author | Owain Ainsworth <oga@cvs.openbsd.org> | 2009-12-11 18:17:10 +0000 |
---|---|---|
committer | Owain Ainsworth <oga@cvs.openbsd.org> | 2009-12-11 18:17:10 +0000 |
commit | 28a117204de86b787eec1dc56addbdf447dea843 (patch) | |
tree | 1f7980bdf9cd0b8cf12f1f2474d50fc44fb2ae01 /usr.sbin | |
parent | 9e1c58b7454c5112830693613d801288510b7e6e (diff) |
Buffer overflow when padding the password buffer to a 16 byte boundary.
found by parfait. Miod again pointed out my mistakes (ppp obviously doesn't sit
well with me).
ok miod@
Diffstat (limited to 'usr.sbin')
-rw-r--r-- | usr.sbin/ppp/ppp/radlib.c | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/usr.sbin/ppp/ppp/radlib.c b/usr.sbin/ppp/ppp/radlib.c index e7038ded2a7..ea8fe638b2f 100644 --- a/usr.sbin/ppp/ppp/radlib.c +++ b/usr.sbin/ppp/ppp/radlib.c @@ -23,7 +23,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $OpenBSD: radlib.c,v 1.9 2007/09/25 11:20:34 chl Exp $ + * $OpenBSD: radlib.c,v 1.10 2009/12/11 18:17:09 oga Exp $ */ #include <sys/types.h> @@ -182,8 +182,13 @@ put_password_attr(struct rad_handle *h, int type, const void *value, size_t len) } if (len > PASSSIZE) len = PASSSIZE; - padded_len = len == 0 ? 16 : (len+15) & ~0xf; - pad_len = padded_len - len; + if (len % 16) + pad_len = 16 - (len % 16); + else if (len == 0) + pad_len = 16; + else + pad_len = 0; + padded_len = len + pad_len; /* * Put in a place-holder attribute containing all zeros, and |