PPP, EAP: fix bounds check in EAP code

Given that we have just checked vallen < len, it can never be the case
that vallen >= len + sizeof(rhostname).  This fixes the check so we
actually avoid overflowing the rhostname array.

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
Signed-off-by: Sylvain Rochet <gradator@gradator.net> (compiler warning fix about int vs uint comparisons)

src/netif/ppp/eap.c

@@ -1417,7 +1417,7 @@ static void eap_request(ppp_pcb *pcb, u_char *inp, int id, int len) {
  }
 
  /* Not so likely to happen. */
- if (vallen >= len + sizeof (rhostname)) {
+ if (len - vallen >= (int)sizeof (rhostname)) {
  ppp_dbglog(("EAP: trimming really long peer name down"));
  MEMCPY(rhostname, inp + vallen, sizeof (rhostname) - 1);
  rhostname[sizeof (rhostname) - 1] = '\0';
@@ -1845,7 +1845,7 @@ static void eap_response(ppp_pcb *pcb, u_char *inp, int id, int len) {
  }
 
  /* Not so likely to happen. */
- if (vallen >= len + sizeof (rhostname)) {
+ if (len - vallen >= (int)sizeof (rhostname)) {
  ppp_dbglog(("EAP: trimming really long peer name down"));
  MEMCPY(rhostname, inp + vallen, sizeof (rhostname) - 1);
  rhostname[sizeof (rhostname) - 1] = '\0';