void-packages/srcpkgs/ppp/patches/CVE-2015-3310.patch

19 lines
619 B
Diff

Fix buffer overflow in rc_mksid()
rc_mksid converts the PID of pppd to hex to generate a pseudo-unique string.
If the process id is bigger than 65535 (FFFF), its hex representation will be
longer than 4 characters, resulting in a buffer overflow.
The bug can be exploited to cause a remote DoS.
--- pppd/plugins/radius/util.c
+++ pppd/plugins/radius/util.c
@@ -77,7 +77,7 @@ rc_mksid (void)
static unsigned short int cnt = 0;
sprintf (buf, "%08lX%04X%02hX",
(unsigned long int) time (NULL),
- (unsigned int) getpid (),
+ (unsigned int) getpid () & 0xFFFF,
cnt & 0xFF);
cnt++;
return buf;