diff options
| author | Jonathan Gray <jsg@cvs.openbsd.org> | 2014-12-10 03:39:55 +0000 |
|---|---|---|
| committer | Jonathan Gray <jsg@cvs.openbsd.org> | 2014-12-10 03:39:55 +0000 |
| commit | 17615668abb24b17d317c1b146b23a87e97c3ea2 (patch) | |
| tree | a65d727bd73491ddc0fefe15f1ee38bc64505184 /usr.sbin | |
| parent | 7aac7c94b1789c24db7d6c2d935567797da91e80 (diff) | |
Fix a potential integer overflow in pppd options file parsing.
From Paul Mackerras in 7658e8257183f062dc01f87969c140707c7e52cb
This issue is CVE-2014-3158.
Diffstat (limited to 'usr.sbin')
| -rw-r--r-- | usr.sbin/pppd/options.c | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/usr.sbin/pppd/options.c b/usr.sbin/pppd/options.c index 689c9b6c1f0..99c29d8e10f 100644 --- a/usr.sbin/pppd/options.c +++ b/usr.sbin/pppd/options.c @@ -1,4 +1,4 @@ -/* $OpenBSD: options.c,v 1.26 2013/10/27 18:49:25 guenther Exp $ */ +/* $OpenBSD: options.c,v 1.27 2014/12/10 03:39:54 jsg Exp $ */ /* * options.c - handles option processing for PPP. @@ -889,9 +889,10 @@ getword(f, word, newlinep, filename) /* * Store the resulting character for the escape sequence. */ - if (len < MAXWORDLEN-1) + if (len < MAXWORDLEN) { word[len] = value; - ++len; + ++len; + } if (!got) c = getc(f); @@ -924,9 +925,10 @@ getword(f, word, newlinep, filename) /* * An ordinary character: store it in the word and get another. */ - if (len < MAXWORDLEN-1) + if (len < MAXWORDLEN) { word[len] = c; - ++len; + ++len; + } c = getc(f); } |