2 files changed, 48 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/ppp/ppp/0001-pppd-Fix-bounds-check-in-EAP-code.patch b/meta/recipes-connectivity/ppp/ppp/0001-pppd-Fix-bounds-check-in-EAP-code.patch
new file mode 100644
index 0000000000..b7ba7ba643
--- /dev/null
+++ b/meta/recipes-connectivity/ppp/ppp/0001-pppd-Fix-bounds-check-in-EAP-code.patch
@@ -0,0 +1,47 @@
+From 8d7970b8f3db727fe798b65f3377fe6787575426 Mon Sep 17 00:00:00 2001
+From: Paul Mackerras <paulus@ozlabs.org>
+Date: Mon, 3 Feb 2020 15:53:28 +1100
+Subject: [PATCH] pppd: Fix bounds check in EAP code
+Given that we have just checked vallen < len, it can never be the case
+that vallen >= len + sizeof(rhostname).  This fixes the check so we
+actually avoid overflowing the rhostname array.
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
+Upstream-Status: Backport
+[https://github.com/paulusmack/ppp/commit/8d7970b8f3db727fe798b65f3377fe6787575426]
+CVE: CVE-2020-8597
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ pppd/eap.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+diff --git a/pppd/eap.c b/pppd/eap.c
+index 94407f5..1b93db0 100644
+--- a/pppd/eap.c
+++ b/pppd/eap.c
+@@ -1420,7 +1420,7 @@ int len;
+                }
+ 
+                /* Not so likely to happen. */
+-               if (vallen >= len + sizeof (rhostname)) {
+               if (len - vallen >= sizeof (rhostname)) {
+                        dbglog("EAP: trimming really long peer name down");
+                        BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1);
+                        rhostname[sizeof (rhostname) - 1] = '\0';
+@@ -1846,7 +1846,7 @@ int len;
+                }
+ 
+                /* Not so likely to happen. */
+-               if (vallen >= len + sizeof (rhostname)) {
+               if (len - vallen >= sizeof (rhostname)) {
+                        dbglog("EAP: trimming really long peer name down");
+                        BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1);
+                        rhostname[sizeof (rhostname) - 1] = '\0';
+-- 
+2.17.1
diff --git a/meta/recipes-connectivity/ppp/ppp_2.4.7.bb b/meta/recipes-connectivity/ppp/ppp_2.4.7.bb
index 644cde4562..60c56dd0bd 100644
--- a/meta/recipes-connectivity/ppp/ppp_2.4.7.bb
+++ b/meta/recipes-connectivity/ppp/ppp_2.4.7.bb
@@ -33,6 +33,7 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/${BP}.tar.gz \
           file://0001-pppoe-include-netinet-in.h-before-linux-in.h.patch \
           file://0001-ppp-Remove-unneeded-include.patch \
           file://ppp-2.4.7-DES-openssl.patch \
+           file://0001-pppd-Fix-bounds-check-in-EAP-code.patch \
 "
 SRC_URI_append_libc-musl = "\

diff --git a/meta/recipes-connectivity/ppp/ppp/0001-pppd-Fix-bounds-check-in-EAP-code.patch b/meta/recipes-connectivity/ppp/ppp/0001-pppd-Fix-bounds-check-in-EAP-code.patch new file mode 100644 index 0000000000..b7ba7ba643 --- /dev/null +++ b/meta/recipes-connectivity/ppp/ppp/0001-pppd-Fix-bounds-check-in-EAP-code.patch
@@ -0,0 +1,47 @@
		1	From 8d7970b8f3db727fe798b65f3377fe6787575426 Mon Sep 17 00:00:00 2001
		2	From: Paul Mackerras <paulus@ozlabs.org>
		3	Date: Mon, 3 Feb 2020 15:53:28 +1100
		4	Subject: [PATCH] pppd: Fix bounds check in EAP code
		5
		6	Given that we have just checked vallen < len, it can never be the case
		7	that vallen >= len + sizeof(rhostname). This fixes the check so we
		8	actually avoid overflowing the rhostname array.
		9
		10	Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
		11	Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
		12
		13	Upstream-Status: Backport
		14	[https://github.com/paulusmack/ppp/commit/8d7970b8f3db727fe798b65f3377fe6787575426]
		15
		16	CVE: CVE-2020-8597
		17
		18	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
		19	---
		20	pppd/eap.c \| 4 ++--
		21	1 file changed, 2 insertions(+), 2 deletions(-)
		22
		23	diff --git a/pppd/eap.c b/pppd/eap.c
		24	index 94407f5..1b93db0 100644
		25	--- a/pppd/eap.c
		26	+++ b/pppd/eap.c
		27	@@ -1420,7 +1420,7 @@ int len;
		28	}
		29
		30	/* Not so likely to happen. */
		31	- if (vallen >= len + sizeof (rhostname)) {
		32	+ if (len - vallen >= sizeof (rhostname)) {
		33	dbglog("EAP: trimming really long peer name down");
		34	BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1);
		35	rhostname[sizeof (rhostname) - 1] = '\0';
		36	@@ -1846,7 +1846,7 @@ int len;
		37	}
		38
		39	/* Not so likely to happen. */
		40	- if (vallen >= len + sizeof (rhostname)) {
		41	+ if (len - vallen >= sizeof (rhostname)) {
		42	dbglog("EAP: trimming really long peer name down");
		43	BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1);
		44	rhostname[sizeof (rhostname) - 1] = '\0';
		45	--
		46	2.17.1
		47


diff --git a/meta/recipes-connectivity/ppp/ppp_2.4.7.bb b/meta/recipes-connectivity/ppp/ppp_2.4.7.bb index 644cde4562..60c56dd0bd 100644 --- a/meta/recipes-connectivity/ppp/ppp_2.4.7.bb +++ b/meta/recipes-connectivity/ppp/ppp_2.4.7.bb
@@ -33,6 +33,7 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/${BP}.tar.gz \
33	file://0001-pppoe-include-netinet-in.h-before-linux-in.h.patch \	33	file://0001-pppoe-include-netinet-in.h-before-linux-in.h.patch \
34	file://0001-ppp-Remove-unneeded-include.patch \	34	file://0001-ppp-Remove-unneeded-include.patch \
35	file://ppp-2.4.7-DES-openssl.patch \	35	file://ppp-2.4.7-DES-openssl.patch \
		36	file://0001-pppd-Fix-bounds-check-in-EAP-code.patch \
36	"	37	"
37		38
38	SRC_URI_append_libc-musl = "\	39	SRC_URI_append_libc-musl = "\