forked from brl/citadel
31 lines
1013 B
Diff
31 lines
1013 B
Diff
ppp: Buffer overflow in radius plugin
|
|
|
|
From: https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;bug=782450
|
|
|
|
Upstream-Status: Backport
|
|
CVE: CVE-2015-3310
|
|
|
|
On systems with more than 65535 processes running, pppd aborts when
|
|
sending a "start" accounting message to the RADIUS server because of a
|
|
buffer overflow in rc_mksid.
|
|
|
|
The process id is used in rc_mksid to generate a pseudo-unique string,
|
|
assuming that the hex representation of the pid will be at most 4
|
|
characters (FFFF). __sprintf_chk(), used when compiling with
|
|
optimization levels greater than 0 and FORTIFY_SOURCE, detects the
|
|
buffer overflow and makes pppd crash.
|
|
|
|
The following patch fixes the problem.
|
|
|
|
--- ppp-2.4.6.orig/pppd/plugins/radius/util.c
|
|
+++ ppp-2.4.6/pppd/plugins/radius/util.c
|
|
@@ -77,7 +77,7 @@ rc_mksid (void)
|
|
static unsigned short int cnt = 0;
|
|
sprintf (buf, "%08lX%04X%02hX",
|
|
(unsigned long int) time (NULL),
|
|
- (unsigned int) getpid (),
|
|
+ (unsigned int) getpid () % 65535,
|
|
cnt & 0xFF);
|
|
cnt++;
|
|
return buf;
|