diff --git a/usr.sbin/ppp/ipcp.c b/usr.sbin/ppp/ipcp.c index 909484576339..3a410d1b9fd3 100644 --- a/usr.sbin/ppp/ipcp.c +++ b/usr.sbin/ppp/ipcp.c @@ -192,6 +192,10 @@ ipcp_LoadDNS(struct ipcp *ipcp) if (fstat(fd, &st) == 0) { ssize_t got; + /* + * Note, ns.resolv and ns.resolv_nons are assumed to always point to + * buffers of the same size! See the strcpy() below. + */ if ((ipcp->ns.resolv_nons = (char *)malloc(st.st_size + 1)) == NULL) log_Printf(LogERROR, "Failed to malloc %lu for %s: %s\n", (unsigned long)st.st_size, _PATH_RESCONF, strerror(errno)); @@ -252,6 +256,10 @@ ipcp_LoadDNS(struct ipcp *ipcp) else cp++; } + /* + * Note, cp_nons and cp always point to buffers of the same size, so + * strcpy is ok! + */ strcpy(cp_nons, cp); /* Copy the end - including the NUL */ cp_nons += strlen(cp_nons) - 1; while (cp_nons >= ipcp->ns.resolv_nons && *cp_nons == '\n') @@ -746,7 +754,7 @@ IpcpSendConfigReq(struct fsm *fp) /* Send config REQ please */ struct physical *p = link2physical(fp->link); struct ipcp *ipcp = fsm2ipcp(fp); - u_char buff[24]; + u_char buff[MAX_FSM_OPT_LEN]; struct fsm_opt *o; o = (struct fsm_opt *)buff; @@ -1045,7 +1053,7 @@ IpcpDecodeConfig(struct fsm *fp, u_char *cp, u_char *end, int mode_type, struct ipcp *ipcp = fsm2ipcp(fp); int gotdnsnak; u_int32_t compproto; - struct compreq *pcomp; + struct compreq pcomp; struct in_addr ipaddr, dstipaddr, have_ip; char tbuff[100], tbuff2[100]; struct fsm_opt *opt, nak; @@ -1093,9 +1101,9 @@ IpcpDecodeConfig(struct fsm *fp, u_char *cp, u_char *end, int mode_type, break; case TY_COMPPROTO: - pcomp = (struct compreq *)opt->data; - compproto = (ntohs(pcomp->proto) << 16) + ((int)pcomp->slots << 8) + - pcomp->compcid; + memcpy(&pcomp, opt->data, sizeof pcomp); + compproto = (ntohs(pcomp.proto) << 16) + ((int)pcomp.slots << 8) + + pcomp.compcid; log_Printf(LogIPCP, "%s %s\n", tbuff, vj2asc(compproto)); switch (mode_type) { @@ -1105,14 +1113,14 @@ IpcpDecodeConfig(struct fsm *fp, u_char *cp, u_char *end, int mode_type, else { switch (opt->hdr.len) { case 4: /* RFC1172 */ - if (ntohs(pcomp->proto) == PROTO_VJCOMP) { + if (ntohs(pcomp.proto) == PROTO_VJCOMP) { log_Printf(LogWARN, "Peer is speaking RFC1172 compression " "protocol !\n"); ipcp->heis1172 = 1; ipcp->peer_compproto = compproto; fsm_ack(dec, opt); } else { - pcomp->proto = htons(PROTO_VJCOMP); + pcomp.proto = htons(PROTO_VJCOMP); nak.hdr.id = TY_COMPPROTO; nak.hdr.len = 4; memcpy(nak.data, &pcomp, 2); @@ -1120,9 +1128,9 @@ IpcpDecodeConfig(struct fsm *fp, u_char *cp, u_char *end, int mode_type, } break; case 6: /* RFC1332 */ - if (ntohs(pcomp->proto) == PROTO_VJCOMP) { - /* We know pcomp->slots' max value == MAX_VJ_STATES */ - if (pcomp->slots >= MIN_VJ_STATES) { + if (ntohs(pcomp.proto) == PROTO_VJCOMP) { + /* We know pcomp.slots' max value == MAX_VJ_STATES */ + if (pcomp.slots >= MIN_VJ_STATES) { /* Ok, we can do that */ ipcp->peer_compproto = compproto; ipcp->heis1172 = 0; @@ -1130,7 +1138,7 @@ IpcpDecodeConfig(struct fsm *fp, u_char *cp, u_char *end, int mode_type, } else { /* Get as close as we can to what he wants */ ipcp->heis1172 = 0; - pcomp->slots = MIN_VJ_STATES; + pcomp.slots = MIN_VJ_STATES; nak.hdr.id = TY_COMPPROTO; nak.hdr.len = 4; memcpy(nak.data, &pcomp, 2); @@ -1138,9 +1146,9 @@ IpcpDecodeConfig(struct fsm *fp, u_char *cp, u_char *end, int mode_type, } } else { /* What we really want */ - pcomp->proto = htons(PROTO_VJCOMP); - pcomp->slots = DEF_VJ_STATES; - pcomp->compcid = 1; + pcomp.proto = htons(PROTO_VJCOMP); + pcomp.slots = DEF_VJ_STATES; + pcomp.compcid = 1; nak.hdr.id = TY_COMPPROTO; nak.hdr.len = 6; memcpy(nak.data, &pcomp, sizeof pcomp); @@ -1155,12 +1163,12 @@ IpcpDecodeConfig(struct fsm *fp, u_char *cp, u_char *end, int mode_type, break; case MODE_NAK: - if (ntohs(pcomp->proto) == PROTO_VJCOMP) { - /* We know pcomp->slots' max value == MAX_VJ_STATES */ - if (pcomp->slots < MIN_VJ_STATES) - pcomp->slots = MIN_VJ_STATES; - compproto = (ntohs(pcomp->proto) << 16) + (pcomp->slots << 8) + - pcomp->compcid; + if (ntohs(pcomp.proto) == PROTO_VJCOMP) { + /* We know pcomp.slots' max value == MAX_VJ_STATES */ + if (pcomp.slots < MIN_VJ_STATES) + pcomp.slots = MIN_VJ_STATES; + compproto = (ntohs(pcomp.proto) << 16) + (pcomp.slots << 8) + + pcomp.compcid; } else compproto = 0; log_Printf(LogIPCP, "%s changing compproto: %08x --> %08x\n", diff --git a/usr.sbin/ppp/lcp.c b/usr.sbin/ppp/lcp.c index 0b4b884d480e..d0c15fce2540 100644 --- a/usr.sbin/ppp/lcp.c +++ b/usr.sbin/ppp/lcp.c @@ -665,7 +665,7 @@ LcpDecodeConfig(struct fsm *fp, u_char *cp, u_char *end, int mode_type, size_t sz; u_int32_t magic, accmap; u_short mru, phmtu, maxmtu, maxmru, wantmtu, wantmru, proto; - struct lqrreq *req; + struct lqrreq req; char request[20], desc[22]; struct mp *mp; struct physical *p = link2physical(fp->link); @@ -933,24 +933,24 @@ LcpDecodeConfig(struct fsm *fp, u_char *cp, u_char *end, int mode_type, break; case TY_QUALPROTO: - req = (struct lqrreq *)opt; + memcpy(&req, opt, sizeof req); log_Printf(LogLCP, "%s proto %x, interval %lums\n", - request, ntohs(req->proto), (u_long)ntohl(req->period) * 10); + request, ntohs(req.proto), (u_long)ntohl(req.period) * 10); switch (mode_type) { case MODE_REQ: - if (ntohs(req->proto) != PROTO_LQR || !IsAccepted(lcp->cfg.lqr)) { + if (ntohs(req.proto) != PROTO_LQR || !IsAccepted(lcp->cfg.lqr)) { fsm_rej(dec, opt); lcp->my_reject |= (1 << opt->hdr.id); } else { - lcp->his_lqrperiod = ntohl(req->period); + lcp->his_lqrperiod = ntohl(req.period); if (lcp->his_lqrperiod < MIN_LQRPERIOD * 100) lcp->his_lqrperiod = MIN_LQRPERIOD * 100; - req->period = htonl(lcp->his_lqrperiod); + req.period = htonl(lcp->his_lqrperiod); fsm_ack(dec, opt); } break; case MODE_NAK: - lcp->want_lqrperiod = ntohl(req->period); + lcp->want_lqrperiod = ntohl(req.period); break; case MODE_REJ: lcp->his_reject |= (1 << opt->hdr.id);