From a8c83ef89cf64a832b01495ea3732c11e7b20990 Mon Sep 17 00:00:00 2001
From: brian <brian@FreeBSD.org>
Date: Tue, 2 Jul 2002 00:47:24 +0000
Subject: Don't trust the MPPE key lengths passed back from the RADIUS server.
 Instead, use the correct values based on the number of bits actually
 negotiated.

Spotted by: Sergey Korolew <ds@rt.balakovo.ru>
---
 usr.sbin/ppp/mppe.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'usr.sbin')

diff --git a/usr.sbin/ppp/mppe.c b/usr.sbin/ppp/mppe.c
index 2d55ee4..606ad0f 100644
--- a/usr.sbin/ppp/mppe.c
+++ b/usr.sbin/ppp/mppe.c
@@ -691,7 +691,8 @@ MPPEInitInput(struct bundle *bundle, struct fsm_opt *o)
 
 #ifndef NORADIUS
   if (*bundle->radius.cfg.file && bundle->radius.mppe.recvkey) {
-    mip->keylen = bundle->radius.mppe.recvkeylen;
+    if (mip->keylen > bundle->radius.mppe.recvkeylen)
+      mip->keylen = bundle->radius.mppe.recvkeylen;
     if (mip->keylen > sizeof mip->mastkey)
       mip->keylen = sizeof mip->mastkey;
     memcpy(mip->mastkey, bundle->radius.mppe.recvkey, mip->keylen);
@@ -746,7 +747,8 @@ MPPEInitOutput(struct bundle *bundle, struct fsm_opt *o)
 
 #ifndef NORADIUS
   if (*bundle->radius.cfg.file && bundle->radius.mppe.sendkey) {
-    mop->keylen = bundle->radius.mppe.sendkeylen;
+    if (mop->keylen > bundle->radius.mppe.sendkeylen)
+      mop->keylen = bundle->radius.mppe.sendkeylen;
     if (mop->keylen > sizeof mop->mastkey)
       mop->keylen = sizeof mop->mastkey;
     memcpy(mop->mastkey, bundle->radius.mppe.sendkey, mop->keylen);
-- 
cgit v1.1