1 files changed, 47 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/ppp/ppp/0001-pppd-Fix-bounds-check-in-EAP-code.patch b/meta/recipes-connectivity/ppp/ppp/0001-pppd-Fix-bounds-check-in-EAP-code.patch
new file mode 100644
index 0000000000..b7ba7ba643
--- /dev/null
+++ b/meta/recipes-connectivity/ppp/ppp/0001-pppd-Fix-bounds-check-in-EAP-code.patch
@@ -0,0 +1,47 @@
+From 8d7970b8f3db727fe798b65f3377fe6787575426 Mon Sep 17 00:00:00 2001
+From: Paul Mackerras <paulus@ozlabs.org>
+Date: Mon, 3 Feb 2020 15:53:28 +1100
+Subject: [PATCH] pppd: Fix bounds check in EAP code
+Given that we have just checked vallen < len, it can never be the case
+that vallen >= len + sizeof(rhostname).  This fixes the check so we
+actually avoid overflowing the rhostname array.
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
+Upstream-Status: Backport
+[https://github.com/paulusmack/ppp/commit/8d7970b8f3db727fe798b65f3377fe6787575426]
+CVE: CVE-2020-8597
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ pppd/eap.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+diff --git a/pppd/eap.c b/pppd/eap.c
+index 94407f5..1b93db0 100644
+--- a/pppd/eap.c
+++ b/pppd/eap.c
+@@ -1420,7 +1420,7 @@ int len;
+                }
+ 
+                /* Not so likely to happen. */
+-               if (vallen >= len + sizeof (rhostname)) {
+               if (len - vallen >= sizeof (rhostname)) {
+                        dbglog("EAP: trimming really long peer name down");
+                        BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1);
+                        rhostname[sizeof (rhostname) - 1] = '\0';
+@@ -1846,7 +1846,7 @@ int len;
+                }
+ 
+                /* Not so likely to happen. */
+-               if (vallen >= len + sizeof (rhostname)) {
+               if (len - vallen >= sizeof (rhostname)) {
+                        dbglog("EAP: trimming really long peer name down");
+                        BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1);
+                        rhostname[sizeof (rhostname) - 1] = '\0';
+-- 
+2.17.1

diff --git a/meta/recipes-connectivity/ppp/ppp/0001-pppd-Fix-bounds-check-in-EAP-code.patch b/meta/recipes-connectivity/ppp/ppp/0001-pppd-Fix-bounds-check-in-EAP-code.patch new file mode 100644 index 0000000000..b7ba7ba643 --- /dev/null +++ b/meta/recipes-connectivity/ppp/ppp/0001-pppd-Fix-bounds-check-in-EAP-code.patch
@@ -0,0 +1,47 @@
	1	From 8d7970b8f3db727fe798b65f3377fe6787575426 Mon Sep 17 00:00:00 2001
	2	From: Paul Mackerras <paulus@ozlabs.org>
	3	Date: Mon, 3 Feb 2020 15:53:28 +1100
	4	Subject: [PATCH] pppd: Fix bounds check in EAP code
	5
	6	Given that we have just checked vallen < len, it can never be the case
	7	that vallen >= len + sizeof(rhostname). This fixes the check so we
	8	actually avoid overflowing the rhostname array.
	9
	10	Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
	11	Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
	12
	13	Upstream-Status: Backport
	14	[https://github.com/paulusmack/ppp/commit/8d7970b8f3db727fe798b65f3377fe6787575426]
	15
	16	CVE: CVE-2020-8597
	17
	18	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
	19	---
	20	pppd/eap.c \| 4 ++--
	21	1 file changed, 2 insertions(+), 2 deletions(-)
	22
	23	diff --git a/pppd/eap.c b/pppd/eap.c
	24	index 94407f5..1b93db0 100644
	25	--- a/pppd/eap.c
	26	+++ b/pppd/eap.c
	27	@@ -1420,7 +1420,7 @@ int len;
	28	}
	29
	30	/* Not so likely to happen. */
	31	- if (vallen >= len + sizeof (rhostname)) {
	32	+ if (len - vallen >= sizeof (rhostname)) {
	33	dbglog("EAP: trimming really long peer name down");
	34	BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1);
	35	rhostname[sizeof (rhostname) - 1] = '\0';
	36	@@ -1846,7 +1846,7 @@ int len;
	37	}
	38
	39	/* Not so likely to happen. */
	40	- if (vallen >= len + sizeof (rhostname)) {
	41	+ if (len - vallen >= sizeof (rhostname)) {
	42	dbglog("EAP: trimming really long peer name down");
	43	BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1);
	44	rhostname[sizeof (rhostname) - 1] = '\0';
	45	--
	46	2.17.1
	47