From 7e971892dfc5aac20bd62be7817941dbaed55f42 Mon Sep 17 00:00:00 2001 From: John Baldwin Date: Wed, 10 Jun 2026 09:44:10 -0400 Subject: [PATCH] ppp: Permit CHAP challenges up to 255 bytes RFC 1994 does not place any limit on the length of the value field in challenge messages except that the length is a single octet which bounds the maximum length to 255. NB: I'm not sure why the local[] and peer[] arrays contain room for an authentication name (AUTHLEN) in addition to a challenge value/response, but I've just left that in place. PR: 271955 Reported by: Robert Morris Reviewed by: des Differential Revision: https://reviews.freebsd.org/D57138 --- usr.sbin/ppp/chap.c | 4 ++-- usr.sbin/ppp/chap.h | 4 ++-- usr.sbin/ppp/defs.h | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/usr.sbin/ppp/chap.c b/usr.sbin/ppp/chap.c index 9cefa6db71c..1129aa7fb2a 100644 --- a/usr.sbin/ppp/chap.c +++ b/usr.sbin/ppp/chap.c @@ -238,7 +238,7 @@ chap_BuildAnswer(char *name, char *key, u_char id, char *challenge MD5Init(&MD5context); MD5Update(&MD5context, &id, 1); MD5Update(&MD5context, key, klen); - MD5Update(&MD5context, challenge + 1, *challenge); + MD5Update(&MD5context, challenge + 1, (u_char)*challenge); MD5Final(digest, &MD5context); memcpy(digest + 16, name, nlen); @@ -913,7 +913,7 @@ chap_Input(struct bundle *bundle, struct link *l, struct mbuf *bp) if (myans == NULL) key = NULL; else { - if (!chap_Cmp(myans + 1, *myans, ans + 1, alen + if (!chap_Cmp(myans + 1, (u_char)*myans, ans + 1, alen #ifndef NODES , p->link.lcp.want_authtype, lanman #endif diff --git a/usr.sbin/ppp/chap.h b/usr.sbin/ppp/chap.h index f697167ab16..993ed3f060f 100644 --- a/usr.sbin/ppp/chap.h +++ b/usr.sbin/ppp/chap.h @@ -48,8 +48,8 @@ struct chap { } child; struct authinfo auth; struct { - u_char local[CHAPCHALLENGELEN + AUTHLEN]; /* I invented this one */ - u_char peer[CHAPCHALLENGELEN + AUTHLEN]; /* Peer gave us this one */ + u_char local[CHAPCHALLENGELEN + 1 + AUTHLEN]; /* I invented this one */ + u_char peer[CHAPCHALLENGELEN + 1 + AUTHLEN]; /* Peer gave us this one */ } challenge; #ifndef NODES unsigned NTRespSent : 1; /* Our last response */ diff --git a/usr.sbin/ppp/defs.h b/usr.sbin/ppp/defs.h index c76cbd8ad9c..31f2577a6c2 100644 --- a/usr.sbin/ppp/defs.h +++ b/usr.sbin/ppp/defs.h @@ -58,7 +58,7 @@ #define DEVICE_LEN SCRIPT_LEN /* Size of individual devices */ #define AUTHLEN 100 /* Size of authname/authkey */ #define CHAPDIGESTLEN 100 /* Maximum chap digest */ -#define CHAPCHALLENGELEN 48 /* Maximum chap challenge */ +#define CHAPCHALLENGELEN 255 /* Maximum chap challenge */ #define CHAPAUTHRESPONSELEN 48 /* Maximum chap authresponse (chap81) */ #define MAXARGS 40 /* How many args per config line */ #define NCP_IDLE_TIMEOUT 180 /* Drop all links */