ppp: Fix potential array overflow

`vallen` is verified to be less than `len`, therefore, it can never be the case that `vallen >= len + sizeof(rhostname)`. This PR fixes the check so the `rhostname` array does not overflow. Reported-by: Github Security Lab <securitylab@github.com> Signed-off-by: Alvaro Muñoz <pwntester@github.com> Ref IDF-4847
espressif · Aug 16, 2022 · c35e4d3 · c35e4d3
1 parent 6666694
commit c35e4d3
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/src/netif/ppp/eap.c b/src/netif/ppp/eap.c
@@ -1417,7 +1417,7 @@ static void eap_request(ppp_pcb *pcb, u_char *inp, int id, int len) {
  }
 
  /* Not so likely to happen. */
- if (vallen >= len + sizeof (rhostname)) {
+ if (len - vallen >= sizeof (rhostname)) {
  ppp_dbglog("EAP: trimming really long peer name down");
  MEMCPY(rhostname, inp + vallen, sizeof (rhostname) - 1);
  rhostname[sizeof (rhostname) - 1] = '\0';
@@ -1845,7 +1845,7 @@ static void eap_response(ppp_pcb *pcb, u_char *inp, int id, int len) {
  }
 
  /* Not so likely to happen. */
- if (vallen >= len + sizeof (rhostname)) {
+ if (len - vallen >= sizeof (rhostname)) {
  ppp_dbglog("EAP: trimming really long peer name down");
  MEMCPY(rhostname, inp + vallen, sizeof (rhostname) - 1);
  rhostname[sizeof (rhostname) - 1] = '\0';