auth_chap: fixed incorrect check for received buffer size

accel-pppd/auth/auth_chap_md5.c

@@ -404,7 +404,7 @@ static void chap_recv(struct ppp_handler_t *h)
 	struct chap_auth_data_t *d = container_of(h, typeof(*d), h);
 	struct chap_hdr_t *hdr = (struct chap_hdr_t *)d->ppp->buf;
 
-	if (d->ppp->buf_size < sizeof(*hdr) || ntohs(hdr->len) < HDR_LEN || ntohs(hdr->len) < d->ppp->buf_size - 2)	{
+	if (d->ppp->buf_size < sizeof(*hdr) || ntohs(hdr->len) < HDR_LEN || ntohs(hdr->len) > d->ppp->buf_size - 2)	{
 		log_ppp_warn("chap-md5: short packet received\n");
 		return;
 	}

accel-pppd/auth/auth_mschap_v1.c

@@ -470,7 +470,7 @@ static void chap_recv(struct ppp_handler_t *h)
 	struct chap_auth_data_t *d = container_of(h, typeof(*d), h);
 	struct chap_hdr_t *hdr = (struct chap_hdr_t *)d->ppp->buf;
 
-	if (d->ppp->buf_size < sizeof(*hdr) || ntohs(hdr->len) < HDR_LEN || ntohs(hdr->len) < d->ppp->buf_size - 2) {
+	if (d->ppp->buf_size < sizeof(*hdr) || ntohs(hdr->len) < HDR_LEN || ntohs(hdr->len) > d->ppp->buf_size - 2) {
 		log_ppp_warn("mschap-v1: short packet received\n");
 		return;
 	}

accel-pppd/auth/auth_mschap_v2.c

@@ -607,7 +607,7 @@ static void chap_recv(struct ppp_handler_t *h)
 	struct chap_auth_data_t *d = container_of(h, typeof(*d), h);
 	struct chap_hdr_t *hdr = (struct chap_hdr_t *)d->ppp->buf;
 
-	if (d->ppp->buf_size < sizeof(*hdr) || ntohs(hdr->len) < HDR_LEN || ntohs(hdr->len) < d->ppp->buf_size - 2) {
+	if (d->ppp->buf_size < sizeof(*hdr) || ntohs(hdr->len) < HDR_LEN || ntohs(hdr->len) > d->ppp->buf_size - 2) {
 		log_ppp_warn("mschap-v2: short packet received\n");
 		return;
 	}