From 73e2be1336c9b94b07e9d5e2b32f0cd6a419a896 Mon Sep 17 00:00:00 2001 From: John Crispin Date: Sun, 3 Aug 2014 11:15:36 +0000 Subject: ppp: fix a buffer overrun in the ms chap code https://dev.openwrt.org/ticket/17296 Signed-off-by: John Crispin Backport of r41882 git-svn-id: svn://svn.openwrt.org/openwrt/branches/barrier_breaker@41966 3c298f89-4303-0410-b956-a3cf2f4a3e73 --- .../services/ppp/patches/520-ms_chap_buffer_overrun.patch | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 package/network/services/ppp/patches/520-ms_chap_buffer_overrun.patch (limited to 'package/network') diff --git a/package/network/services/ppp/patches/520-ms_chap_buffer_overrun.patch b/package/network/services/ppp/patches/520-ms_chap_buffer_overrun.patch new file mode 100644 index 0000000000..acbf33b65a --- /dev/null +++ b/package/network/services/ppp/patches/520-ms_chap_buffer_overrun.patch @@ -0,0 +1,13 @@ +Index: ppp-2.4.6/pppd/chap_ms.c +=================================================================== +--- ppp-2.4.6.orig/pppd/chap_ms.c 2014-07-29 00:38:03.073968867 +0100 ++++ ppp-2.4.6/pppd/chap_ms.c 2014-07-29 00:41:52.897964689 +0100 +@@ -382,7 +382,7 @@ + unsigned char *private) + { + const struct chapms2_response_cache_entry *cache_entry; +- unsigned char auth_response[MS_AUTH_RESPONSE_LENGTH]; ++ unsigned char auth_response[MS_AUTH_RESPONSE_LENGTH+1]; + + challenge++; /* skip length, should be 16 */ + *response++ = MS_CHAP2_RESPONSE_LEN; -- cgit v1.2.3