1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
$NetBSD: patch-al,v 1.1.1.1 2005/01/02 02:51:42 cube Exp $
--- pppd/cbcp.c.orig 2004-10-28 02:15:36.000000000 +0200
+++ pppd/cbcp.c
@@ -166,7 +166,7 @@ cbcp_input(unit, inpacket, pktlen)
if (pktlen < CBCP_MINLEN) {
if (debug)
- dbglog("CBCP packet is too small");
+ dbglog("CBCP packet is too short (%d)", pktlen);
return;
}
@@ -176,7 +176,7 @@ cbcp_input(unit, inpacket, pktlen)
if (len > pktlen || len < CBCP_MINLEN) {
if (debug)
- dbglog("CBCP packet: invalid length %d", len);
+ dbglog("CBCP packet: invalid length %d/%d", len, pktlen);
return;
}
@@ -321,6 +321,12 @@ cbcp_recvreq(us, pckt, pcktlen)
if (opt_len < 2 || opt_len > len)
break;
+ /* seriously malformed, stop processing */
+ if (opt_len > len) {
+ error("CBCP: Malformed option length (%d/%d)", opt_len, len);
+ break;
+ }
+
if (opt_len > 2)
GETCHAR(delay, pckt);
|
