Open
Description
Hello,
There is two buffer overflow in mpe.c
0 while (1) {
1 unsigned char buf[4100];
2 unsigned char *mpe_header = buf;
3 unsigned char *tun_header = &buf[MPE_HEADER_LEN];
4 int n = read(tun_fd, tun_header, sizeof(buf));
5 //write(2, tun_header, n);
6 send_mpe(1, mpe_header, n + MPE_HEADER_LEN);
7 }
At line 4, you read 4100 bytes, but start pointer (tun_header) is at
buf+MPE_HEADER_LEN.
Plus, in send_mpe() you append CRC (4 bytes) at then end of buf. Space must be
reserved for that.
The attached patch fix this issue.
Original issue reported on code.google.com by sout...@gmail.com on 27 Nov 2014 at 9:31
Attachments: