From 60be20cf326f2788e59b71372561913710ac19a2 Mon Sep 17 00:00:00 2001
From: Tassilo Schweyer <dev@welterde.de>
Date: Sun, 4 May 2025 13:42:47 +0200
Subject: [PATCH] Fix possible buffer overflow when dealing with auth
 challenge/response

---
 l2tpns.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/l2tpns.c b/l2tpns.c
index 513e306..b466546 100644
--- a/l2tpns.c
+++ b/l2tpns.c
@@ -5074,8 +5074,12 @@ void processudp(uint8_t *buf, int len, struct sockaddr_in *addr, uint16_t indexu
 						LOG(3, s, t, "Reusing LCP negotiation\n");
 						// Start with proxy auth id to avoid client caching challenge responses
 						sess_local[s].auth_id = authid;
-						memcpy(sess_local[s].auth_chall, authchall, authchalln);
-						memcpy(sess_local[s].auth_resp, authresp, authrespn);
+						if (authchalln <= 16) {
+						  memcpy(sess_local[s].auth_chall, authchall, authchalln);
+						}
+						if (authrespn <= 64) {
+						  memcpy(sess_local[s].auth_resp, authresp, authrespn);
+						}
 						if (atype != 0) {
 						  sess_local[s].auth_type = atype;
 						}