Correct a potential DoS vulnerability, as described at

http://www.securityfocus.com/archive/1/379450

This patch is based on dillon's patch on DragonFlyBSD, which is in
turn derived from OpenBSD's src/usr.sbin/pppd/cbcp.c,v 1.6.

Obtained from:	OpenBSD via DragonFlyBSD
Encouraged by:	nectar
This commit is contained in:
delphij 2004-11-10 05:49:52 +00:00
parent 0c7042c36c
commit 05758a9b47

View File

@ -132,12 +132,10 @@ cbcp_input(unit, inpacket, pktlen)
GETCHAR(id, inp);
GETSHORT(len, inp);
#if 0
if (len > pktlen) {
if (len < CBCP_MINLEN || len > pktlen) {
syslog(LOG_ERR, "CBCP packet: invalid length");
return;
}
#endif
len -= CBCP_MINLEN;
@ -271,12 +269,16 @@ cbcp_recvreq(us, pckt, pcktlen)
address[0] = 0;
while (len) {
while (len > 1) {
syslog(LOG_DEBUG, "length: %d", len);
GETCHAR(type, pckt);
GETCHAR(opt_len, pckt);
if (len < opt_len)
break;
len -= opt_len;
if (opt_len > 2)
GETCHAR(delay, pckt);
@ -305,7 +307,6 @@ cbcp_recvreq(us, pckt, pcktlen)
case CB_CONF_LIST:
break;
}
len -= opt_len;
}
cbcp_resp(us);
@ -399,10 +400,13 @@ cbcp_recvack(us, pckt, len)
int opt_len;
char address[256];
if (len) {
if (len > 1) {
GETCHAR(type, pckt);
GETCHAR(opt_len, pckt);
if (opt_len > len)
return;
if (opt_len > 2)
GETCHAR(delay, pckt);