summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKozlov Dmitry <xeb@mail.ru>2012-07-07 16:09:25 +0400
committerKozlov Dmitry <xeb@mail.ru>2012-07-07 16:09:25 +0400
commit72c82d4f729e68acab1c91de502cd0c230cbed39 (patch)
tree12b17f62e3ab0e544767738f46550e307947f753
parent8f09e27527fd88189a66ddf425d30a9f244199bc (diff)
downloadaccel-ppp-72c82d4f729e68acab1c91de502cd0c230cbed39.tar.gz
accel-ppp-72c82d4f729e68acab1c91de502cd0c230cbed39.zip
pppoe: tag length sanity check
-rw-r--r--accel-pppd/ctrl/pppoe/pppoe.c20
1 files changed, 11 insertions, 9 deletions
diff --git a/accel-pppd/ctrl/pppoe/pppoe.c b/accel-pppd/ctrl/pppoe/pppoe.c
index f616ade4..079ef51b 100644
--- a/accel-pppd/ctrl/pppoe/pppoe.c
+++ b/accel-pppd/ctrl/pppoe/pppoe.c
@@ -771,6 +771,7 @@ static void pppoe_recv_PADI(struct pppoe_serv_t *serv, uint8_t *pack, int size)
int n, service_match = 0;
struct delayed_pado_t *pado;
struct timespec ts;
+ int len;
__sync_add_and_fetch(&stat_PADI_recv, 1);
@@ -789,18 +790,14 @@ static void pppoe_recv_PADI(struct pppoe_serv_t *serv, uint8_t *pack, int size)
return;
}
- if (hdr->sid) {
- log_warn("pppoe: discarding PADI packet (sid is not zero)\n");
+ if (hdr->sid)
return;
- }
- if (conf_verbose) {
- log_info2("recv ");
- print_packet(pack);
- }
-
- for (n = 0; n < ntohs(hdr->length); n += sizeof(*tag) + ntohs(tag->tag_len)) {
+ len = ntohs(hdr->length);
+ for (n = 0; n < len; n += sizeof(*tag) + ntohs(tag->tag_len)) {
tag = (struct pppoe_tag *)(pack + ETH_HLEN + sizeof(*hdr) + n);
+ if (n + sizeof(*tag) + ntohs(tag->tag_len) > len)
+ return;
switch (ntohs(tag->tag_type)) {
case TAG_END_OF_LIST:
break;
@@ -825,6 +822,11 @@ static void pppoe_recv_PADI(struct pppoe_serv_t *serv, uint8_t *pack, int size)
}
}
+ if (conf_verbose) {
+ log_info2("recv ");
+ print_packet(pack);
+ }
+
if (!service_match) {
if (conf_verbose)
log_warn("pppoe: discarding PADI packet (Service-Name mismatch)\n");