From 9f52bf04956674db4bbe7a1578753ffadd664f4a Mon Sep 17 00:00:00 2001
From: blogic <blogic@3c298f89-4303-0410-b956-a3cf2f4a3e73>
Date: Tue, 29 Jul 2014 12:18:52 +0000
Subject: [PATCH] ppp: fix a buffer overrun in the ms chap code

https://dev.openwrt.org/ticket/17296

Signed-off-by: John Crispin <blogic@openwrt.org>

git-svn-id: svn://svn.openwrt.org/openwrt/trunk@41882 3c298f89-4303-0410-b956-a3cf2f4a3e73
---
 .../services/ppp/patches/520-ms_chap_buffer_overrun.patch   | 13 +++++++++++++
 1 file changed, 13 insertions(+)
 create mode 100644 package/network/services/ppp/patches/520-ms_chap_buffer_overrun.patch

diff --git a/package/network/services/ppp/patches/520-ms_chap_buffer_overrun.patch b/package/network/services/ppp/patches/520-ms_chap_buffer_overrun.patch
new file mode 100644
index 0000000000..acbf33b65a
--- /dev/null
+++ b/package/network/services/ppp/patches/520-ms_chap_buffer_overrun.patch
@@ -0,0 +1,13 @@
+Index: ppp-2.4.6/pppd/chap_ms.c
+===================================================================
+--- ppp-2.4.6.orig/pppd/chap_ms.c	2014-07-29 00:38:03.073968867 +0100
++++ ppp-2.4.6/pppd/chap_ms.c	2014-07-29 00:41:52.897964689 +0100
+@@ -382,7 +382,7 @@
+ 		      unsigned char *private)
+ {
+ 	const struct chapms2_response_cache_entry *cache_entry;
+-	unsigned char auth_response[MS_AUTH_RESPONSE_LENGTH];
++	unsigned char auth_response[MS_AUTH_RESPONSE_LENGTH+1];
+ 
+ 	challenge++;	/* skip length, should be 16 */
+ 	*response++ = MS_CHAP2_RESPONSE_LEN;
-- 
2.11.0