From c10c3c7cb3e779af5286430d5c9bb835a873ab32 Mon Sep 17 00:00:00 2001 From: Paul Mackerras Date: Mon, 30 Dec 2019 09:32:18 +1100 Subject: [PATCH] pppd: Make sure word read from options file is null-terminated MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If a word read from an options file was longer than MAXWORDLEN, we could pass it to option_error() without null termination, which could have lead to an out-of-bounds access in vslprintf. Make sure word[] is null terminated in all cases. Reported-by: Florian Kohnhäuser Signed-off-by: Paul Mackerras --- pppd/options.c | 1 + 1 file changed, 1 insertion(+) diff --git a/pppd/options.c b/pppd/options.c index 5e1489f..f1d2dc9 100644 --- a/pppd/options.c +++ b/pppd/options.c @@ -1357,6 +1357,7 @@ getword(f, word, newlinep, filename) c = getc(f); } + word[MAXWORDLEN-1] = 0; /* make sure word is null-terminated */ /* * End of the word: check for errors.