Apply by doing: cd /usr/src patch -p0 < 009_ppp.patch And then rebuild and install ppp: cd usr.sbin/ppp make clean make obj make depend make make install Index: usr.sbin/ppp/ppp/command.c =================================================================== RCS file: /cvs/src/usr.sbin/ppp/ppp/command.c,v retrieving revision 1.91 diff -u -p -r1.91 command.c --- usr.sbin/ppp/ppp/command.c 21 Sep 2005 16:28:47 -0000 1.91 +++ usr.sbin/ppp/ppp/command.c 7 Mar 2008 12:41:31 -0000 @@ -25,7 +25,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $OpenBSD: command.c,v 1.91 2005/09/21 16:28:47 brad Exp $ + * $OpenBSD: command.c,v 1.92 2008/03/02 18:46:32 miod Exp $ */ #include @@ -1130,7 +1130,10 @@ command_Expand_Interpret(char *buff, int { char buff2[LINE_LEN-offset]; - InterpretArg(buff, buff2); + if (InterpretArg(buff, buff2, sizeof buff2) == NULL) { + log_Printf(LogWARN, "Failed to expand command '%s': too long for the destination buffer\n", buff); + return -1; + } strncpy(buff, buff2, LINE_LEN - offset - 1); buff[LINE_LEN - offset - 1] = '\0'; Index: usr.sbin/ppp/ppp/systems.c =================================================================== RCS file: /cvs/src/usr.sbin/ppp/ppp/systems.c,v retrieving revision 1.18 diff -u -p -r1.18 systems.c --- usr.sbin/ppp/ppp/systems.c 16 May 2002 01:13:39 -0000 1.18 +++ usr.sbin/ppp/ppp/systems.c 7 Mar 2008 12:41:31 -0000 @@ -25,7 +25,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $OpenBSD: systems.c,v 1.18 2002/05/16 01:13:39 brian Exp $ + * $OpenBSD: systems.c,v 1.20 2008/03/02 19:31:43 deraadt Exp $ */ #include @@ -64,9 +64,12 @@ CloseSecret(FILE *fp) fclose(fp); } -/* Move string from ``from'' to ``to'', interpreting ``~'' and $.... */ +/* + * Move string from ``from'' to ``to'', interpreting ``~'' and $.... + * Returns NULL if string expansion failed due to lack of buffer space. + */ const char * -InterpretArg(const char *from, char *to) +InterpretArg(const char *from, char *to, size_t tosiz) { char *ptr, *startto, *endto; struct passwd *pwd; @@ -75,12 +78,14 @@ InterpretArg(const char *from, char *to) instring = 0; startto = to; - endto = to + LINE_LEN - 1; + endto = to + tosiz - 1; while(issep(*from)) from++; while (*from != '\0') { + if (to >= endto) + return NULL; switch (*from) { case '"': instring = !instring; @@ -96,6 +101,8 @@ InterpretArg(const char *from, char *to) *to++ = '\\'; /* Pass the escapes on, maybe skipping \# */ break; } + if (to >= endto) + return NULL; *to++ = *from++; break; case '$': @@ -106,8 +113,8 @@ InterpretArg(const char *from, char *to) ptr = strchr(from+2, '}'); if (ptr) { len = ptr - from - 2; - if (endto - to < len ) - len = endto - to; + if (endto - to < len) + return NULL; if (len) { strncpy(to, from+2, len); to[len] = '\0'; @@ -126,9 +133,13 @@ InterpretArg(const char *from, char *to) *ptr++ = *from; *ptr = '\0'; } + if (to >= endto) + return NULL; if (*to == '\0') *to++ = '$'; else if ((env = getenv(to)) != NULL) { + if (endto - to < strlen(env)) + return NULL; strncpy(to, env, endto - to); *endto = '\0'; to += strlen(to); @@ -141,19 +152,24 @@ InterpretArg(const char *from, char *to) if (len == 0) pwd = getpwuid(ID0realuid()); else { + if (endto - to < len) + return NULL; strncpy(to, from, len); to[len] = '\0'; pwd = getpwnam(to); } + if (to >= endto) + return NULL; if (pwd == NULL) *to++ = '~'; else { + if (endto - to < strlen(pwd->pw_dir)) + return NULL; strncpy(to, pwd->pw_dir, endto - to); *endto = '\0'; to += strlen(to); from += len; } - endpwent(); break; default: @@ -178,12 +194,16 @@ InterpretArg(const char *from, char *to) #define CTRL_INCLUDE (1) static int -DecodeCtrlCommand(char *line, char *arg) +DecodeCtrlCommand(char *line, char *arg, size_t argsiz) { const char *end; if (!strncasecmp(line, "include", 7) && issep(line[7])) { - end = InterpretArg(line+8, arg); + end = InterpretArg(line+8, arg, argsiz); + if (end == NULL) { + log_Printf(LogWARN, "Failed to expand command '%s': too long for the destination buffer\n", line); + return CTRL_UNKNOWN; + } if (*end && *end != '#') log_Printf(LogWARN, "usage: !include filename\n"); else @@ -217,7 +237,6 @@ AllowUsers(struct cmdargs const *arg) userok = 1; break; } - endpwent(); return 0; } @@ -352,7 +371,7 @@ ReadSystem(struct bundle *bundle, const break; case '!': - switch (DecodeCtrlCommand(cp+1, arg)) { + switch (DecodeCtrlCommand(cp+1, arg, LINE_LEN)) { case CTRL_INCLUDE: log_Printf(LogCOMMAND, "%s: Including \"%s\"\n", filename, arg); n = ReadSystem(bundle, name, arg, prompt, cx, how); Index: usr.sbin/ppp/ppp/systems.h =================================================================== RCS file: /cvs/src/usr.sbin/ppp/ppp/systems.h,v retrieving revision 1.7 diff -u -p -r1.7 systems.h --- usr.sbin/ppp/ppp/systems.h 23 Nov 2001 11:17:03 -0000 1.7 +++ usr.sbin/ppp/ppp/systems.h 7 Mar 2008 12:41:31 -0000 @@ -25,7 +25,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $OpenBSD: systems.h,v 1.7 2001/11/23 11:17:03 brian Exp $ + * $OpenBSD: systems.h,v 1.8 2008/03/02 18:46:33 miod Exp $ */ struct prompt; @@ -40,4 +40,4 @@ extern FILE *OpenSecret(const char *); extern void CloseSecret(FILE *); extern int AllowUsers(struct cmdargs const *); extern int AllowModes(struct cmdargs const *); -extern const char *InterpretArg(const char *, char *); +extern const char *InterpretArg(const char *, char *, size_t);