ppp: fix buffer overflow, set correct state after chap negotiation (thanks k0ga)

(ppp->secret comes from factotum and it can have any size) This patch also sets the correct state after success and failure cases in chap negotiation (without them the code was working because it expected the other point to pass to net phase or due to the timer).
2016-03-15 22:31:03 +01:00 · 2016-03-15 22:31:03 +01:00 · 7f224a8f6d
commit 7f224a8f6d
parent 708178e615
1 changed files with 11 additions and 5 deletions
--- a/sys/src/cmd/ip/ppp/ppp.c
+++ b/sys/src/cmd/ip/ppp/ppp.c
@ -2103,12 +2103,15 @@ getchap(PPP *ppp, Block *b)
 		default:
 			abort();
 		case APmd5:
+			n = strlen(ppp->secret);
+			if(n + vlen + 1 > sizeof(md5buf)) {
+				netlog("PPP: chap: bad challenge len\n");
+				goto end;
+			}
 			md5buf[0] = m->id;
-			strcpy(md5buf+1, ppp->secret);
-			n = strlen(ppp->secret) + 1;
-			memmove(md5buf+n, m->data+1, vlen);
-			n += vlen;
-			md5((uchar*)md5buf, n, digest, nil);
+			memcpy(md5buf+1, ppp->secret, n);
+			memcpy(md5buf+1+n, m->data+1, vlen);
+			md5((uchar*)md5buf, n + vlen + 1, digest, nil);
 			resp = digest;
 			nresp = 16;
 			break;
@ -2229,14 +2232,17 @@ getchap(PPP *ppp, Block *b)
 		break;
 	case Csuccess:
 		netlog("ppp: chap succeeded\n");
+		setphase(ppp, Pnet);
 		break;
 	case Cfailure:
 		netlog("ppp: chap failed\n");
+		terminate(ppp, 0);
 		break;
 	default:
 		syslog(0, LOG, "chap code %d?", m->code);
 		break;
 	}
+end:
 	qunlock(ppp);
 	freeb(b);
 }