diff options
author | brian <brian@FreeBSD.org> | 2000-05-26 21:11:55 +0000 |
---|---|---|
committer | brian <brian@FreeBSD.org> | 2000-05-26 21:11:55 +0000 |
commit | 8c66999e1dece9580671edf7cd994284f29eacee (patch) | |
tree | 9cf6c050b39aeff5fdd54764f3821a8d82e112cf /usr.sbin | |
parent | 2f58d03cd509c1cac6d5922d8169888e8937410b (diff) | |
download | FreeBSD-src-8c66999e1dece9580671edf7cd994284f29eacee.zip FreeBSD-src-8c66999e1dece9580671edf7cd994284f29eacee.tar.gz |
If the fsm header reports a length greater than the packet size,
drop the packet rather than just whinging about it in the log.
If the fsm header has a smaller length, continue to whinge.
Diffstat (limited to 'usr.sbin')
-rw-r--r-- | usr.sbin/ppp/fsm.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/usr.sbin/ppp/fsm.c b/usr.sbin/ppp/fsm.c index f1124b5..1366921 100644 --- a/usr.sbin/ppp/fsm.c +++ b/usr.sbin/ppp/fsm.c @@ -976,9 +976,16 @@ fsm_Input(struct fsm *fp, struct mbuf *bp) } bp = mbuf_Read(bp, &lh, sizeof lh); - if (ntohs(lh.length) != len) + if (ntohs(lh.length) != len) { + if (ntohs(lh.length) > len) { + log_Printf(LogWARN, "%s: Oops: Got %d bytes but %d byte payload " + "- dropped\n", fp->link->name, len, (int)ntohs(lh.length)); + m_freem(bp); + return; + } log_Printf(LogWARN, "%s: Oops: Got %d bytes but %d byte payload\n", fp->link->name, len, (int)ntohs(lh.length)); + } if (lh.code < fp->min_code || lh.code > fp->max_code || lh.code > sizeof FsmCodes / sizeof *FsmCodes) { |