Aren/NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Use strcmp() instead of memcmp() because if we get passed a 0 length name

Browse Source 
and secret, we'll authenticate successfully! While there, rename passwd to
secret so that code looks nicer.
This commit is contained in:
christos 2002-07-27 19:09:07 +00:00
parent e697956ce6
commit ca989d9a38
1 changed files with 18 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
sys/net/if_spppsubr.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: if_spppsubr.c,v 1.51 2002/07/13 11:08:03 martin Exp $ */ /* $NetBSD: if_spppsubr.c,v 1.52 2002/07/27 19:09:07 christos Exp $ */
/* /*
* Synchronous PPP/Cisco link level subroutines. * Synchronous PPP/Cisco link level subroutines.
@ -28,7 +28,7 @@
*/ */
#include <sys/cdefs.h> #include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: if_spppsubr.c,v 1.51 2002/07/13 11:08:03 martin Exp $"); __KERNEL_RCSID(0, "$NetBSD: if_spppsubr.c,v 1.52 2002/07/27 19:09:07 christos Exp $");
#include "opt_inet.h" #include "opt_inet.h"
#include "opt_ipx.h" #include "opt_ipx.h"
@ -4195,8 +4195,8 @@ sppp_pap_input(struct sppp *sp, struct mbuf *m)
struct lcp_header *h; struct lcp_header *h;
int len, x; int len, x;
u_char mlen; u_char mlen;
char *name, *passwd; char *name, *secret, sname, ssecret;
int name_len, passwd_len; int name_len, secret_len;
len = m->m_pkthdr.len; len = m->m_pkthdr.len;
if (len < 5) { if (len < 5) {
@ -4220,9 +4220,9 @@ sppp_pap_input(struct sppp *sp, struct mbuf *m)
} }
name = 1 + (u_char*)(h+1); name = 1 + (u_char*)(h+1);
name_len = name[-1]; name_len = name[-1];
passwd = name + name_len + 1; secret = name + name_len + 1;
if (name_len > len - 6 || if (name_len > len - 6 ||
(passwd_len = passwd[-1]) > len - 6 - name_len) { (secret_len = secret[-1]) > len - 6 - name_len) {
if (debug) { if (debug) {
log(LOG_DEBUG, SPP_FMT "pap corrupted input " log(LOG_DEBUG, SPP_FMT "pap corrupted input "
"<%s id=0x%x len=%d", "<%s id=0x%x len=%d",
@ -4243,12 +4243,18 @@ sppp_pap_input(struct sppp *sp, struct mbuf *m)
sppp_auth_type_name(PPP_PAP, h->type), sppp_auth_type_name(PPP_PAP, h->type),
h->ident, ntohs(h->len)); h->ident, ntohs(h->len));
sppp_print_string((char*)name, name_len); sppp_print_string((char*)name, name_len);
addlog(" passwd="); addlog(" secret=");
sppp_print_string((char*)passwd, passwd_len); sppp_print_string((char*)secret, secret_len);
addlog(">\n"); addlog(">\n");
} }
if (memcmp(name, sp->hisauth.name, name_len) != 0 || sname = name[name_len];
memcmp(passwd, sp->hisauth.secret, passwd_len) != 0) { ssecret = secret[secret_len];
name[name_len] = '\0';
secret[secret_len] = '\0';
if (strcmp(name, sp->hisauth.name) != 0 ||
strcmp(secret, sp->hisauth.secret) != 0) {
name[name_len] = sname;
secret[secret_len] = ssecret;
/* action scn, tld */ /* action scn, tld */
sp->pp_auth_failures++; sp->pp_auth_failures++;
mlen = sizeof(FAILMSG) - 1; mlen = sizeof(FAILMSG) - 1;
@ -4259,6 +4265,8 @@ sppp_pap_input(struct sppp *sp, struct mbuf *m)
pap.tld(sp); pap.tld(sp);
break; break;
} }
name[name_len] = sname;
secret[secret_len] = ssecret;
/* action sca, perhaps tlu */ /* action sca, perhaps tlu */
if (sp->state[IDX_PAP] == STATE_REQ_SENT || if (sp->state[IDX_PAP] == STATE_REQ_SENT ||
sp->state[IDX_PAP] == STATE_OPENED) { sp->state[IDX_PAP] == STATE_OPENED) {