Fix some heap over-read in logging in PPTP protocol handler.

2025-01-03 06:45:37 -08:00 · 2021-03-05 08:41:26 +00:00 · 2021-03-05 08:41:26 +00:00 · 3e92b40a73
commit 3e92b40a73
parent 7af96dc258
2 changed files with 17 additions and 18 deletions
--- a/usr.sbin/npppd/pptp/pptp_call.c
+++ b/usr.sbin/npppd/pptp/pptp_call.c
@ -1,4 +1,4 @@
-/*	$OpenBSD: pptp_call.c,v 1.9 2015/12/05 16:10:31 yasuoka Exp $	*/
+/*	$OpenBSD: pptp_call.c,v 1.10 2021/03/05 08:41:26 yasuoka Exp $	*/

 /*-
 * Copyright (c) 2009 Internet Initiative Japan Inc.
@ -25,7 +25,7 @@
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */
-/* $Id: pptp_call.c,v 1.9 2015/12/05 16:10:31 yasuoka Exp $ */
+/* $Id: pptp_call.c,v 1.10 2021/03/05 08:41:26 yasuoka Exp $ */
 /**@file PPTP Call */
 /* currently it supports PAC mode only */
 #include <sys/types.h>
@ -802,12 +802,13 @@ pptp_call_OCRQ_string(struct pptp_ocrq *ocrq, char *buf, int lbuf)
 	snprintf(buf, lbuf,
 	    "call_id=%u call_serial_number=%u max_bps=%u min_bps=%u bearer=%s "
 	    "framing=%s recv_winsz=%u packet_proccessing_delay=%u "
-	    "phone_nunmber=%s subaddress=%s",
+	    "phone_nunmber=%.*s subaddress=%.*s",
 	    ocrq->call_id, ocrq->call_serial_number, ocrq->maximum_bps,
 	    ocrq->minimum_bps, pptp_bearer_string(ocrq->bearer_type),
 	    pptp_framing_string(ocrq->framing_type), ocrq->recv_winsz,
-	    ocrq->packet_proccessing_delay, ocrq->phone_number,
-	    ocrq->subaddress);
+	    ocrq->packet_proccessing_delay,
+	    (u_int)sizeof(ocrq->phone_number), ocrq->phone_number,
+	    (u_int)sizeof(ocrq->subaddress), ocrq->subaddress);
 }

 /* convert Outgoing-Call-Reply packet to strings */
--- a/usr.sbin/npppd/pptp/pptp_ctrl.c
+++ b/usr.sbin/npppd/pptp/pptp_ctrl.c
@ -1,4 +1,4 @@
-/*	$OpenBSD: pptp_ctrl.c,v 1.11 2016/04/16 18:32:29 krw Exp $	*/
+/*	$OpenBSD: pptp_ctrl.c,v 1.12 2021/03/05 08:41:26 yasuoka Exp $	*/

 /*-
 * Copyright (c) 2009 Internet Initiative Japan Inc.
@ -29,7 +29,7 @@
 * PPTP(RFC 2637) control connection implementation.
 * currently it only support PAC part
 */
-/* $Id: pptp_ctrl.c,v 1.11 2016/04/16 18:32:29 krw Exp $ */
+/* $Id: pptp_ctrl.c,v 1.12 2021/03/05 08:41:26 yasuoka Exp $ */
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <netinet/in.h>
@ -556,26 +556,24 @@ pptp_ctrl_output_flush(pptp_ctrl *_this)
 static void
 pptp_ctrl_SCCRx_string(struct pptp_scc *scc, u_char *buf, int lbuf)
 {
-	char buf1[128], buf2[128], buf3[128];
-
-	/* sanity check */
-	strlcpy(buf1, scc->host_name, sizeof(buf1));
-	strlcpy(buf2, scc->vendor_string, sizeof(buf2));
+	char results[128];

 	if (scc->result_code != 0)
-		snprintf(buf3, sizeof(buf3), "result=%d error=%d ",
+		snprintf(results, sizeof(results), "result=%d error=%d ",
 		    scc->result_code, scc->error_code);
 	else
-		buf3[0] = '\0';
+		results[0] = '\0';

 	snprintf(buf, lbuf,
 	    "protocol_version=%d.%d %sframing=%s bearer=%s max_channels=%d "
-	    "firmware_revision=%d(0x%04x) host_name=\"%s\" "
-	    "vendor_string=\"%s\"",
-	    scc->protocol_version >> 8, scc->protocol_version & 0xff, buf3,
+	    "firmware_revision=%d(0x%04x) host_name=\"%.*s\" "
+	    "vendor_string=\"%.*s\"",
+	    scc->protocol_version >> 8, scc->protocol_version & 0xff, results,
 	    pptp_framing_string(scc->framing_caps),
 	    pptp_bearer_string(scc->bearer_caps), scc->max_channels,
-	    scc->firmware_revision, scc->firmware_revision, buf1, buf2);
+	    scc->firmware_revision, scc->firmware_revision,
+	    (u_int)sizeof(scc->host_name), scc->host_name,
+	    (u_int)sizeof(scc->vendor_string), scc->vendor_string);
 }

 /* receive Start-Control-Connection-Request */