Fix buffer overflow in rc_mksid()

rc_mksid converts the PID of pppd to hex to generate a pseudo-unique string. If the process id is bigger than 65535 (FFFF), its hex representation will be longer than 4 characters, resulting in a buffer overflow. The bug can be exploited to cause a remote DoS. Bug-Debian: https://bugs.debian.org/782450 Last-Update: <2015-04-14> Gbp-Pq: Name rc_mksid-no-buffer-overflow
author: Emanuele Rocca <ema@debian.org> 2018-11-04 12:56:54 +0000
committer: Chris Boot <bootc@debian.org> 2018-11-04 12:56:54 +0000
commit: bef4e99df0f0b52690878961d3eb9bcc72d63a03 (patch)
tree: d316bcf8ec589f89b5d5a19f7a02640d5933deed
parent: 87d0a940774a6df688d0ae588ad756b64043340c (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/pppd/plugins/radius/util.c b/pppd/plugins/radius/util.c
index 6f976a7..166bd5f 100644
--- a/pppd/plugins/radius/util.c
+++ b/pppd/plugins/radius/util.c
@@ -77,7 +77,7 @@ rc_mksid (void)
   static unsigned short int cnt = 0;
   sprintf (buf, "%08lX%04X%02hX",
 	   (unsigned long int) time (NULL),
-	   (unsigned int) getpid (),
+	   (unsigned int) getpid () % 65535,
 	   cnt & 0xFF);
   cnt++;
   return buf;
author	Emanuele Rocca <ema@debian.org>	2018-11-04 12:56:54 +0000
committer	Chris Boot <bootc@debian.org>	2018-11-04 12:56:54 +0000
commit	bef4e99df0f0b52690878961d3eb9bcc72d63a03 (patch)
tree	d316bcf8ec589f89b5d5a19f7a02640d5933deed
parent	87d0a940774a6df688d0ae588ad756b64043340c (diff)