diff options
author | Emanuele Rocca <ema@debian.org> | 2018-11-04 12:56:54 +0000 |
---|---|---|
committer | Chris Boot <bootc@debian.org> | 2018-11-04 12:56:54 +0000 |
commit | bef4e99df0f0b52690878961d3eb9bcc72d63a03 (patch) | |
tree | d316bcf8ec589f89b5d5a19f7a02640d5933deed | |
parent | 87d0a940774a6df688d0ae588ad756b64043340c (diff) |
Fix buffer overflow in rc_mksid()
rc_mksid converts the PID of pppd to hex to generate a pseudo-unique string.
If the process id is bigger than 65535 (FFFF), its hex representation will be
longer than 4 characters, resulting in a buffer overflow.
The bug can be exploited to cause a remote DoS.
Bug-Debian: https://bugs.debian.org/782450
Last-Update: <2015-04-14>
Gbp-Pq: Name rc_mksid-no-buffer-overflow
-rw-r--r-- | pppd/plugins/radius/util.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/pppd/plugins/radius/util.c b/pppd/plugins/radius/util.c index 6f976a7..166bd5f 100644 --- a/pppd/plugins/radius/util.c +++ b/pppd/plugins/radius/util.c @@ -77,7 +77,7 @@ rc_mksid (void) static unsigned short int cnt = 0; sprintf (buf, "%08lX%04X%02hX", (unsigned long int) time (NULL), - (unsigned int) getpid (), + (unsigned int) getpid () % 65535, cnt & 0xFF); cnt++; return buf; |