19 lines
619 B
Diff
19 lines
619 B
Diff
Fix buffer overflow in rc_mksid()
|
|
|
|
rc_mksid converts the PID of pppd to hex to generate a pseudo-unique string.
|
|
If the process id is bigger than 65535 (FFFF), its hex representation will be
|
|
longer than 4 characters, resulting in a buffer overflow.
|
|
|
|
The bug can be exploited to cause a remote DoS.
|
|
--- pppd/plugins/radius/util.c
|
|
+++ pppd/plugins/radius/util.c
|
|
@@ -77,7 +77,7 @@ rc_mksid (void)
|
|
static unsigned short int cnt = 0;
|
|
sprintf (buf, "%08lX%04X%02hX",
|
|
(unsigned long int) time (NULL),
|
|
- (unsigned int) getpid (),
|
|
+ (unsigned int) getpid () & 0xFFFF,
|
|
cnt & 0xFF);
|
|
cnt++;
|
|
return buf;
|