Correct a potential DoS vulnerability, as described at

http://www.securityfocus.com/archive/1/379450

This patch is based on dillon's patch on DragonFlyBSD, which is in
turn derived from OpenBSD's src/usr.sbin/pppd/cbcp.c,v 1.6.

Obtained from:	OpenBSD via DragonFlyBSD
Encouraged by:	nectar

1 files changed, 10 insertions, 6 deletions

diff --git a/usr.sbin/pppd/cbcp.c b/usr.sbin/pppd/cbcp.c
index fb265e6..f72fe9e 100644
--- a/usr.sbin/pppd/cbcp.c
+++ b/usr.sbin/pppd/cbcp.c
@@ -132,12 +132,10 @@ cbcp_input(unit, inpacket, pktlen)
     GETCHAR(id, inp);
     GETSHORT(len, inp);
 
-#if 0
-    if (len > pktlen) {
+    if (len < CBCP_MINLEN || len > pktlen) {
         syslog(LOG_ERR, "CBCP packet: invalid length");
         return;
     }
-#endif
 
     len -= CBCP_MINLEN;
  
@@ -271,12 +269,16 @@ cbcp_recvreq(us, pckt, pcktlen)
 
     address[0] = 0;
 
-    while (len) {
+    while (len > 1) {
         syslog(LOG_DEBUG, "length: %d", len);
 
 	GETCHAR(type, pckt);
 	GETCHAR(opt_len, pckt);
 
+	if (len < opt_len)
+		break;
+	len -= opt_len;
+
 	if (opt_len > 2)
 	    GETCHAR(delay, pckt);
 
@@ -305,7 +307,6 @@ cbcp_recvreq(us, pckt, pcktlen)
 	case CB_CONF_LIST:
 	    break;
 	}
-	len -= opt_len;
     }
 
     cbcp_resp(us);
@@ -399,10 +400,13 @@ cbcp_recvack(us, pckt, len)
     int opt_len;
     char address[256];
 
-    if (len) {
+    if (len > 1) {
         GETCHAR(type, pckt);
 	GETCHAR(opt_len, pckt);
      
+	if (opt_len > len)
+		return;
+
 	if (opt_len > 2)
 	    GETCHAR(delay, pckt);