| 12345678910111213141516171819 |
- Fix buffer overflow in rc_mksid()
- rc_mksid converts the PID of pppd to hex to generate a pseudo-unique string.
- If the process id is bigger than 65535 (FFFF), its hex representation will be
- longer than 4 characters, resulting in a buffer overflow.
-
- The bug can be exploited to cause a remote DoS.
- --- ppp-2.4.7/pppd/plugins/radius/util.c
- +++ ppp-2.4.7/pppd/plugins/radius/util.c
- @@ -77,7 +77,7 @@ rc_mksid (void)
- static unsigned short int cnt = 0;
- sprintf (buf, "%08lX%04X%02hX",
- (unsigned long int) time (NULL),
- - (unsigned int) getpid (),
- + (unsigned int) getpid () & 0xFFFF,
- cnt & 0xFF);
- cnt++;
- return buf;
|
