From 3e92b40a732a4669c47cee68840b71c136b12815 Mon Sep 17 00:00:00 2001
From: yasuoka <yasuoka@openbsd.org>
Date: Fri, 5 Mar 2021 08:41:26 +0000
Subject: [PATCH] Fix some heap over-read in logging in PPTP protocol handler.

---
 usr.sbin/npppd/pptp/pptp_call.c | 11 ++++++-----
 usr.sbin/npppd/pptp/pptp_ctrl.c | 24 +++++++++++-------------
 2 files changed, 17 insertions(+), 18 deletions(-)

diff --git a/usr.sbin/npppd/pptp/pptp_call.c b/usr.sbin/npppd/pptp/pptp_call.c
index 4d0c3d0a7c4..96b9cd0608e 100644
--- a/usr.sbin/npppd/pptp/pptp_call.c
+++ b/usr.sbin/npppd/pptp/pptp_call.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pptp_call.c,v 1.9 2015/12/05 16:10:31 yasuoka Exp $	*/
+/*	$OpenBSD: pptp_call.c,v 1.10 2021/03/05 08:41:26 yasuoka Exp $	*/
 
 /*-
  * Copyright (c) 2009 Internet Initiative Japan Inc.
@@ -25,7 +25,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */
-/* $Id: pptp_call.c,v 1.9 2015/12/05 16:10:31 yasuoka Exp $ */
+/* $Id: pptp_call.c,v 1.10 2021/03/05 08:41:26 yasuoka Exp $ */
 /**@file PPTP Call */
 /* currently it supports PAC mode only */
 #include <sys/types.h>
@@ -802,12 +802,13 @@ pptp_call_OCRQ_string(struct pptp_ocrq *ocrq, char *buf, int lbuf)
 	snprintf(buf, lbuf,
 	    "call_id=%u call_serial_number=%u max_bps=%u min_bps=%u bearer=%s "
 	    "framing=%s recv_winsz=%u packet_proccessing_delay=%u "
-	    "phone_nunmber=%s subaddress=%s",
+	    "phone_nunmber=%.*s subaddress=%.*s",
 	    ocrq->call_id, ocrq->call_serial_number, ocrq->maximum_bps,
 	    ocrq->minimum_bps, pptp_bearer_string(ocrq->bearer_type),
 	    pptp_framing_string(ocrq->framing_type), ocrq->recv_winsz,
-	    ocrq->packet_proccessing_delay, ocrq->phone_number,
-	    ocrq->subaddress);
+	    ocrq->packet_proccessing_delay,
+	    (u_int)sizeof(ocrq->phone_number), ocrq->phone_number,
+	    (u_int)sizeof(ocrq->subaddress), ocrq->subaddress);
 }
 
 /* convert Outgoing-Call-Reply packet to strings */
diff --git a/usr.sbin/npppd/pptp/pptp_ctrl.c b/usr.sbin/npppd/pptp/pptp_ctrl.c
index e9c85c4b36e..a7c4b5dbf7d 100644
--- a/usr.sbin/npppd/pptp/pptp_ctrl.c
+++ b/usr.sbin/npppd/pptp/pptp_ctrl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pptp_ctrl.c,v 1.11 2016/04/16 18:32:29 krw Exp $	*/
+/*	$OpenBSD: pptp_ctrl.c,v 1.12 2021/03/05 08:41:26 yasuoka Exp $	*/
 
 /*-
  * Copyright (c) 2009 Internet Initiative Japan Inc.
@@ -29,7 +29,7 @@
  * PPTP(RFC 2637) control connection implementation.
  * currently it only support PAC part
  */
-/* $Id: pptp_ctrl.c,v 1.11 2016/04/16 18:32:29 krw Exp $ */
+/* $Id: pptp_ctrl.c,v 1.12 2021/03/05 08:41:26 yasuoka Exp $ */
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <netinet/in.h>
@@ -556,26 +556,24 @@ pptp_ctrl_output_flush(pptp_ctrl *_this)
 static void
 pptp_ctrl_SCCRx_string(struct pptp_scc *scc, u_char *buf, int lbuf)
 {
-	char buf1[128], buf2[128], buf3[128];
-
-	/* sanity check */
-	strlcpy(buf1, scc->host_name, sizeof(buf1));
-	strlcpy(buf2, scc->vendor_string, sizeof(buf2));
+	char results[128];
 
 	if (scc->result_code != 0)
-		snprintf(buf3, sizeof(buf3), "result=%d error=%d ",
+		snprintf(results, sizeof(results), "result=%d error=%d ",
 		    scc->result_code, scc->error_code);
 	else
-		buf3[0] = '\0';
+		results[0] = '\0';
 
 	snprintf(buf, lbuf,
 	    "protocol_version=%d.%d %sframing=%s bearer=%s max_channels=%d "
-	    "firmware_revision=%d(0x%04x) host_name=\"%s\" "
-	    "vendor_string=\"%s\"",
-	    scc->protocol_version >> 8, scc->protocol_version & 0xff, buf3,
+	    "firmware_revision=%d(0x%04x) host_name=\"%.*s\" "
+	    "vendor_string=\"%.*s\"",
+	    scc->protocol_version >> 8, scc->protocol_version & 0xff, results,
 	    pptp_framing_string(scc->framing_caps),
 	    pptp_bearer_string(scc->bearer_caps), scc->max_channels,
-	    scc->firmware_revision, scc->firmware_revision, buf1, buf2);
+	    scc->firmware_revision, scc->firmware_revision,
+	    (u_int)sizeof(scc->host_name), scc->host_name,
+	    (u_int)sizeof(scc->vendor_string), scc->vendor_string);
 }
 
 /* receive Start-Control-Connection-Request */
-- 
2.20.1