From 00078de8a38f5b621ea4957ca973445e68f07763 Mon Sep 17 00:00:00 2001 From: Brendan O'Dea Date: Fri, 17 Feb 2006 14:35:53 +0000 Subject: [PATCH] avoid endless loop in processipcp, processipv6cp --- Changes | 1 + ppp.c | 14 +++++++++----- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/Changes b/Changes index d4c668c..24b0c8c 100644 --- a/Changes +++ b/Changes @@ -4,6 +4,7 @@ - Handle LCP NAK of magic-number. - Ensure session changes from LCP ConfigReq/ConfigNak are sent to cluster. - Verify that RADIUS packets come from a configured server (Jonathan Yarden). +- Avoid endless loop in processipcp, processipv6cp. * Mon Dec 19 2005 Brendan O'Dea 2.1.15 - Drop backtrace. diff --git a/ppp.c b/ppp.c index 0f6bba9..b306f28 100644 --- a/ppp.c +++ b/ppp.c @@ -1,6 +1,6 @@ // L2TPNS PPP Stuff -char const *cvs_id_ppp = "$Id: ppp.c,v 1.94 2006-01-19 21:31:25 bodea Exp $"; +char const *cvs_id_ppp = "$Id: ppp.c,v 1.95 2006-02-17 14:35:54 bodea Exp $"; #include #include @@ -1014,11 +1014,13 @@ void processipcp(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l) while (length > 2) { + if (!o[1] || o[1] > length) return; + switch (*o) { case 3: // ip address gotip++; // seen address - if (o[1] != 6 || o[1] > length) return; + if (o[1] != 6) return; addr = htonl(session[s].ip); if (memcmp(o + 2, &addr, (sizeof addr))) @@ -1035,7 +1037,7 @@ void processipcp(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l) break; case 129: // primary DNS - if (o[1] != 6 || o[1] > length) return; + if (o[1] != 6) return; addr = htonl(session[s].dns1); if (memcmp(o + 2, &addr, (sizeof addr))) @@ -1047,7 +1049,7 @@ void processipcp(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l) break; case 131: // secondary DNS - if (o[1] != 6 || o[1] > length) return; + if (o[1] != 6) return; addr = htonl(session[s].dns2); if (memcmp(o + 2, &addr, sizeof(addr))) @@ -1239,11 +1241,13 @@ void processipv6cp(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l) while (length > 2) { + if (!o[1] || o[1] > length) return; + switch (*o) { case 1: // interface identifier gotip++; // seen address - if (o[1] != 10 || o[1] > length) return; + if (o[1] != 10) return; *(uint32_t *) ident = htonl(session[s].ip); *(uint32_t *) (ident + 4) = 0; -- 2.20.1