This is another MFC candidate.

Fix a serious bug in sppp where anyone could obtain a successful PAP authentication by supplying a null password. I've only stumpled across the PR while browsing for all sppp-related PRs. Should we also file a security advisory for this? PR: 21592 Submitted by: <dli@3bc.de> Dirk Liebke
author: joerg <joerg@FreeBSD.org> 2001-03-25 09:53:07 +0000
committer: joerg <joerg@FreeBSD.org> 2001-03-25 09:53:07 +0000
commit: 28ec9af9483a1c93f561d336452ffb5d2547d2c7 (patch)
tree: 61550458ef56e9e339f9b88c0c09477c8372dcfe /sys/net/if_spppsubr.c
parent: d8e320c72ce06955bb3b01cbe04e10270a87dfd2 (diff)
download: FreeBSD-src-28ec9af9483a1c93f561d336452ffb5d2547d2c7.zip
FreeBSD-src-28ec9af9483a1c93f561d336452ffb5d2547d2c7.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/net/if_spppsubr.c b/sys/net/if_spppsubr.c
index 2e59072..d4bdcec 100644
--- a/sys/net/if_spppsubr.c
+++ b/sys/net/if_spppsubr.c
@@ -3448,8 +3448,8 @@ sppp_pap_input(struct sppp *sp, struct mbuf *m)
 			sppp_print_string((char*)passwd, passwd_len);
 			log(-1, ">\n");
 		}
-		if (name_len > AUTHNAMELEN ||
-		    passwd_len > AUTHKEYLEN ||
+		if (name_len != sppp_strnlen(sp->hisauth.name, AUTHNAMELEN) ||
+		    passwd_len != sppp_strnlen(sp->hisauth.secret, AUTHKEYLEN) ||
 		    bcmp(name, sp->hisauth.name, name_len) != 0 ||
 		    bcmp(passwd, sp->hisauth.secret, passwd_len) != 0) {
 			/* action scn, tld */
author	joerg <joerg@FreeBSD.org>	2001-03-25 09:53:07 +0000
committer	joerg <joerg@FreeBSD.org>	2001-03-25 09:53:07 +0000
commit	28ec9af9483a1c93f561d336452ffb5d2547d2c7 (patch)
tree	61550458ef56e9e339f9b88c0c09477c8372dcfe /sys/net/if_spppsubr.c
parent	d8e320c72ce06955bb3b01cbe04e10270a87dfd2 (diff)
download	FreeBSD-src-28ec9af9483a1c93f561d336452ffb5d2547d2c7.zip FreeBSD-src-28ec9af9483a1c93f561d336452ffb5d2547d2c7.tar.gz