From 4da95975031c20cb0caf210a3bd78ca8f9963dd6 Mon Sep 17 00:00:00 2001 From: Brendan O'Dea Date: Fri, 5 Nov 2004 02:25:25 +0000 Subject: [PATCH 1/1] add length checks and comments to proxy LCP parsing --- l2tpns.c | 30 +++++++----------------------- 1 file changed, 7 insertions(+), 23 deletions(-) diff --git a/l2tpns.c b/l2tpns.c index a83b57d..13a2565 100644 --- a/l2tpns.c +++ b/l2tpns.c @@ -4,7 +4,7 @@ // Copyright (c) 2002 FireBrick (Andrews & Arnold Ltd / Watchfront Ltd) - GPL licenced // vim: sw=8 ts=8 -char const *cvs_id_l2tpns = "$Id: l2tpns.c,v 1.41 2004-11-04 06:05:55 bodea Exp $"; +char const *cvs_id_l2tpns = "$Id: l2tpns.c,v 1.42 2004-11-05 02:25:25 bodea Exp $"; #include #include @@ -1668,39 +1668,23 @@ void processudp(u8 * buf, int len, struct sockaddr_in *addr) case 27: // last send lcp { // find magic number u8 *p = b, *e = p + n; - while (p < e && p[1]) + while (p + 1 < e && p[1] && p + p[1] <= e) { - if (*p == 5 && p[1] == 6) + if (*p == 5 && p[1] == 6) // Magic-Number amagic = ntohl(*(u32 *) (p + 2)); - else if (*p == 3 && p[1] == 5 && *(u16 *) (p + 2) == htons(PPPCHAP) && p[4] == 5) + else if (*p == 3 && p[1] == 5 && *(u16 *) (p + 2) == htons(PPPCHAP) && p[4] == 5) // Authentication-Protocol chap = 1; - else if (*p == 7) + else if (*p == 7) // Protocol-Field-Compression aflags |= SESSIONPFC; - else if (*p == 8) + else if (*p == 8) // Address-and-Control-Field-Compression aflags |= SESSIONACFC; p += p[1]; } - - { - char tmp[500] = {0}; - tmp[0] = ConfigReq; - memcpy((tmp + 1), b, n); - } } break; case 28: // last recv lcp confreq - { - char tmp[500] = {0}; - tmp[0] = ConfigReq; - memcpy((tmp + 1), b, n); - break; - } + break; case 26: // Initial Received LCP CONFREQ - { - char tmp[500] = {0}; - tmp[0] = ConfigReq; - memcpy((tmp + 1), b, n); - } break; case 39: // seq required - we control it as an LNS anyway... break; -- 2.20.1