fix IPCP length test to allow Terminate-Request (4 bytes)
[l2tpns.git] / ppp.c
diff --git a/ppp.c b/ppp.c
index 17fde89..578273a 100644 (file)
--- a/ppp.c
+++ b/ppp.c
@@ -1,6 +1,6 @@
 // L2TPNS PPP Stuff
 
-char const *cvs_id_ppp = "$Id: ppp.c,v 1.88 2005/12/07 05:21:37 bodea Exp $";
+char const *cvs_id_ppp = "$Id: ppp.c,v 1.97 2006/03/27 03:01:08 bodea Exp $";
 
 #include <stdio.h>
 #include <string.h>
@@ -475,7 +475,6 @@ void processlcp(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l)
 {
        uint8_t b[MAXETHER];
        uint8_t *q = NULL;
-       uint32_t magicno = 0;
        uint16_t hl;
 
        CSTAT(processlcp);
@@ -499,7 +498,9 @@ void processlcp(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l)
        if (session[s].die) // going down...
                return;
 
-       LOG(*p == EchoReq ? 4 : 3, s, t, "LCP: recv %s\n", ppp_code(*p));
+       LOG((*p == EchoReq || *p == EchoReply) ? 4 : 3, s, t,
+               "LCP: recv %s\n", ppp_code(*p));
+
        if (config->debug > 3) dumplcp(p, l);
 
        if (*p == ConfigAck)
@@ -581,6 +582,7 @@ void processlcp(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l)
                                                if (mru >= MINMTU)
                                                {
                                                        session[s].mru = mru;
+                                                       cluster_send_session(s);
                                                        break;
                                                }
 
@@ -647,11 +649,8 @@ void processlcp(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l)
                                        }
                                        break;
 
-                               case 5: // Magic-Number
-                                       magicno = ntohl(*(uint32_t *)(o + 2));
-                                       break;
-
                                case 4: // Quality-Protocol
+                               case 5: // Magic-Number
                                case 7: // Protocol-Field-Compression
                                case 8: // Address-And-Control-Field-Compression
                                        break;
@@ -748,6 +747,7 @@ void processlcp(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l)
                                case 1: // Maximum-Receive-Unit
                                        if (*p == ConfigNak)
                                        {
+                                               if (length < 4) break;
                                                sess_local[s].ppp_mru = ntohs(*(uint16_t *)(o + 2));
                                                LOG(3, s, t, "    Remote requested MRU of %u\n", sess_local[s].ppp_mru);
                                        }
@@ -765,14 +765,18 @@ void processlcp(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l)
 
                                        if (*p == ConfigNak)
                                        {
-                                               int proto = ntohs(*(uint16_t *)(o + 2));
+                                               int proto;
+
+                                               if (length < 4) break;
+                                               proto = ntohs(*(uint16_t *)(o + 2));
+
                                                if (proto == PPPPAP)
                                                {
                                                        authtype = config->radius_authtypes & AUTHPAP;
                                                        LOG(3, s, t, "    Remote requested PAP authentication...%sing\n",
                                                                authtype ? "accept" : "reject");
                                                }
-                                               else if (proto == PPPCHAP && *(o + 4) == 5)
+                                               else if (proto == PPPCHAP && length > 4 && *(o + 4) == 5)
                                                {
                                                        authtype = config->radius_authtypes & AUTHCHAP;
                                                        LOG(3, s, t, "    Remote requested CHAP authentication...%sing\n",
@@ -792,9 +796,26 @@ void processlcp(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l)
 
                                        break;
 
+                               case 5: // Magic-Number
+                                       session[s].magic = 0;
+                                       if (*p == ConfigNak)
+                                       {
+                                               if (length < 6) break;
+                                               session[s].magic = ntohl(*(uint32_t *)(o + 2));
+                                       }
+
+                                       if (session[s].magic)
+                                               LOG(3, s, t, "    Remote requested magic-no %x\n", session[s].magic);
+                                       else
+                                               LOG(3, s, t, "    Remote rejected magic-no\n");
+
+                                       cluster_send_session(s);
+                                       break;
+
                                default:
                                        LOG(2, s, t, "LCP: remote sent %s for type %u?\n", ppp_code(*p), type);
-                                       break;
+                                       sessionshutdown(s, "Unable to negotiate LCP.", 3, 0);
+                                       return;
                        }
                        x -= length;
                        o += length;
@@ -946,7 +967,7 @@ void processipcp(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l)
        CSTAT(processipcp);
 
        LOG_HEX(5, "IPCP", p, l);
-       if (l < 5)
+       if (l < 4)
        {
                LOG(1, s, t, "Short IPCP %d bytes\n", l);
                STAT(tunnel_rx_errors);
@@ -1003,11 +1024,13 @@ void processipcp(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l)
 
                while (length > 2)
                {
+                       if (!o[1] || o[1] > length) return;
+
                        switch (*o)
                        {
                        case 3: // ip address
                                gotip++; // seen address
-                               if (o[1] != 6 || o[1] > length) return;
+                               if (o[1] != 6) return;
 
                                addr = htonl(session[s].ip);
                                if (memcmp(o + 2, &addr, (sizeof addr)))
@@ -1024,7 +1047,7 @@ void processipcp(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l)
                                break;
 
                        case 129: // primary DNS
-                               if (o[1] != 6 || o[1] > length) return;
+                               if (o[1] != 6) return;
 
                                addr = htonl(session[s].dns1);
                                if (memcmp(o + 2, &addr, (sizeof addr)))
@@ -1036,7 +1059,7 @@ void processipcp(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l)
                                break;
 
                        case 131: // secondary DNS
-                               if (o[1] != 6 || o[1] > length) return;
+                               if (o[1] != 6) return;
 
                                addr = htonl(session[s].dns2);
                                if (memcmp(o + 2, &addr, sizeof(addr)))
@@ -1228,11 +1251,13 @@ void processipv6cp(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l)
 
                while (length > 2)
                {
+                       if (!o[1] || o[1] > length) return;
+
                        switch (*o)
                        {
                        case 1: // interface identifier
                                gotip++; // seen address
-                               if (o[1] != 10 || o[1] > length) return;
+                               if (o[1] != 10) return;
 
                                *(uint32_t *) ident = htonl(session[s].ip);
                                *(uint32_t *) (ident + 4) = 0;
@@ -1749,15 +1774,12 @@ void sendchap(sessionidt s, tunnelidt t)
 }
 
 // fill in a L2TP message with a PPP frame,
-// copies existing PPP message and changes magic number if seen
 // returns start of PPP frame
 uint8_t *makeppp(uint8_t *b, int size, uint8_t *p, int l, sessionidt s, tunnelidt t, uint16_t mtype)
 {
        if (size < 12) // Need more space than this!!
        {
-               static int backtrace_count = 0;
                LOG(0, s, t, "makeppp buffer too small for L2TP header (size=%d)\n", size);
-               log_backtrace(backtrace_count, 5)
                return NULL;
        }
 
@@ -1780,9 +1802,7 @@ uint8_t *makeppp(uint8_t *b, int size, uint8_t *p, int l, sessionidt s, tunnelid
 
        if (l + 12 > size)
        {
-               static int backtrace_count = 0;
                LOG(2, s, t, "makeppp would overflow buffer (size=%d, header+payload=%d)\n", size, l + 12);
-               log_backtrace(backtrace_count, 5)
                return NULL;
        }
 
@@ -1818,7 +1838,7 @@ static int add_lcp_auth(uint8_t *b, int size, int authtype)
        return len;
 }
 
-// Send initial LCP ConfigReq for MRU, authentication type and magic no
+// Send LCP ConfigReq for MRU, authentication type and magic no
 void sendlcp(sessionidt s, tunnelidt t)
 {
        uint8_t b[500], *q, *l;
@@ -1847,9 +1867,12 @@ void sendlcp(sessionidt s, tunnelidt t)
        if (authtype)
                l += add_lcp_auth(l, sizeof(b) - (l - b), authtype);
 
-       *l++ = 5; *l++ = 6; // Magic-Number (length 6)
-       *(uint32_t *) l = htonl(session[s].magic);
-       l += 4;
+       if (session[s].magic)
+       {
+               *l++ = 5; *l++ = 6; // Magic-Number (length 6)
+               *(uint32_t *) l = htonl(session[s].magic);
+               l += 4;
+       }
 
        *(uint16_t *)(q + 2) = htons(l - q); // Length