blob: c6f7a0fdd85e6832c609b52179fb684dc9899355 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
Description: Fix buffer overflow in rc_mksid()
rc_mksid converts the PID of pppd to hex to generate a pseudo-unique string.
.
If the process id is bigger than 65535 (FFFF), its hex representation will be
longer than 4 characters, resulting in a buffer overflow.
.
The bug can be exploited to cause a remote DoS.
.
Author: Emanuele Rocca <ema@debian.org>
Bug-Debian: https://bugs.debian.org/782450
Last-Update: <2015-04-14>
--- ppp-2.4.6.orig/pppd/plugins/radius/util.c
+++ ppp-2.4.6/pppd/plugins/radius/util.c
@@ -77,7 +77,7 @@ rc_mksid (void)
static unsigned short int cnt = 0;
sprintf (buf, "%08lX%04X%02hX",
(unsigned long int) time (NULL),
- (unsigned int) getpid (),
+ (unsigned int) getpid () % 65535,
cnt & 0xFF);
cnt++;
return buf;
|
