summaryrefslogtreecommitdiffstats
path: root/sys/net/if_pppoe.c
diff options
context:
space:
mode:
authorbrad <brad@openbsd.org>2008-08-27 08:41:46 +0000
committerbrad <brad@openbsd.org>2008-08-27 08:41:46 +0000
commit2aa349e18c7fb28c340be41c15fe73d885dba5ce (patch)
tree1d5f1771cc82da76c86200b0dd669e1cda575470 /sys/net/if_pppoe.c
parentadd a C-c target, so we can use it as a prefix for keybindings. (diff)
downloadwireguard-openbsd-2aa349e18c7fb28c340be41c15fe73d885dba5ce.tar.xz
wireguard-openbsd-2aa349e18c7fb28c340be41c15fe73d885dba5ce.zip
Fix length check when parsing PPPoE discovery phase packets.
Malicious PPPoE discovery packets could cause the kernel to crash. From canacar@ and inspired by the original fix from NetBSD. ok canacar@
Diffstat (limited to 'sys/net/if_pppoe.c')
-rw-r--r--sys/net/if_pppoe.c13
1 files changed, 7 insertions, 6 deletions
diff --git a/sys/net/if_pppoe.c b/sys/net/if_pppoe.c
index 548c5546008..f21d2fe9361 100644
--- a/sys/net/if_pppoe.c
+++ b/sys/net/if_pppoe.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: if_pppoe.c,v 1.23 2008/08/09 11:25:05 thib Exp $ */
+/* $OpenBSD: if_pppoe.c,v 1.24 2008/08/27 08:41:46 brad Exp $ */
/* $NetBSD: if_pppoe.c,v 1.51 2003/11/28 08:56:48 keihan Exp $ */
/*
@@ -471,6 +471,7 @@ static void pppoe_dispatch_disc_pkt(struct mbuf *m, int off)
pt = (struct pppoetag *)(mtod(n, caddr_t) + noff);
tag = ntohs(pt->tag);
len = ntohs(pt->len);
+ off += sizeof(*pt);
if (off + len > m->m_pkthdr.len) {
printf("%s: tag 0x%x len 0x%x is too long\n",
devname, tag, len);
@@ -486,7 +487,7 @@ static void pppoe_dispatch_disc_pkt(struct mbuf *m, int off)
case PPPOE_TAG_HUNIQUE:
if (sc != NULL)
break;
- n = m_pulldown(m, off + sizeof(*pt), len, &noff);
+ n = m_pulldown(m, off, len, &noff);
if (n == NULL) {
m = NULL;
err_msg = "TAG HUNIQUE ERROR";
@@ -503,7 +504,7 @@ static void pppoe_dispatch_disc_pkt(struct mbuf *m, int off)
break;
case PPPOE_TAG_ACCOOKIE:
if (ac_cookie == NULL) {
- n = m_pulldown(m, off + sizeof(*pt), len,
+ n = m_pulldown(m, off, len,
&noff);
if (n == NULL) {
err_msg = "TAG ACCOOKIE ERROR";
@@ -516,7 +517,7 @@ static void pppoe_dispatch_disc_pkt(struct mbuf *m, int off)
break;
case PPPOE_TAG_RELAYSID:
if (relay_sid == NULL) {
- n = m_pulldown(m, off + sizeof(*pt), len,
+ n = m_pulldown(m, off, len,
&noff);
if (n == NULL) {
err_msg = "TAG RELAYSID ERROR";
@@ -543,7 +544,7 @@ static void pppoe_dispatch_disc_pkt(struct mbuf *m, int off)
if (err_msg) {
log(LOG_INFO, "%s: %s: ", devname, err_msg);
if (errortag && len) {
- n = m_pulldown(m, off + sizeof(*pt), len,
+ n = m_pulldown(m, off, len,
&noff);
if (n) {
u_int8_t *et = mtod(n, caddr_t) + noff;
@@ -554,7 +555,7 @@ static void pppoe_dispatch_disc_pkt(struct mbuf *m, int off)
addlog("\n");
goto done;
}
- off += sizeof(*pt) + len;
+ off += len;
}
breakbreak:
switch (code) {
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.