diff options
| author | Kozlov Dmitry <xeb@mail.ru> | 2011-10-10 10:22:11 +0400 |
|---|---|---|
| committer | Kozlov Dmitry <xeb@mail.ru> | 2011-10-10 10:22:11 +0400 |
| commit | 03c5bd91157b042f9d98c1a1f437dadea6b0531a (patch) | |
| tree | 9026db7997d7b3816141d02864176977d9ee0865 /accel-pppd/ppp/ppp_ipcp.c | |
| parent | 676a6f6eccf98df6ccd3feb31ddd4313a8659811 (diff) | |
| download | accel-ppp-03c5bd91157b042f9d98c1a1f437dadea6b0531a.tar.gz accel-ppp-03c5bd91157b042f9d98c1a1f437dadea6b0531a.zip | |
ppp: options header sanity check
Diffstat (limited to 'accel-pppd/ppp/ppp_ipcp.c')
| -rw-r--r-- | accel-pppd/ppp/ppp_ipcp.c | 21 |
1 files changed, 15 insertions, 6 deletions
diff --git a/accel-pppd/ppp/ppp_ipcp.c b/accel-pppd/ppp/ppp_ipcp.c index aee0317d..6de79a2e 100644 --- a/accel-pppd/ppp/ppp_ipcp.c +++ b/accel-pppd/ppp/ppp_ipcp.c @@ -392,19 +392,19 @@ static int ipcp_recv_conf_req(struct ppp_ipcp_t *ipcp, uint8_t *data, int size) while (size > 0) { hdr = (struct ipcp_opt_hdr_t *)data; + if (!hdr->len || hdr->len > size) + break; + ropt = _malloc(sizeof(*ropt)); memset(ropt, 0, sizeof(*ropt)); - if (hdr->len > size) - ropt->len = size; - else - ropt->len = hdr->len; ropt->hdr = hdr; + ropt->len = hdr->len; ropt->state = IPCP_OPT_NONE; list_add_tail(&ropt->entry, &ipcp->ropt_list); - data += ropt->len; - size -= ropt->len; + data += hdr->len; + size -= hdr->len; } list_for_each_entry(lopt, &ipcp->options, entry) @@ -504,6 +504,9 @@ static int ipcp_recv_conf_rej(struct ppp_ipcp_t *ipcp, uint8_t *data, int size) while (size > 0) { hdr = (struct ipcp_opt_hdr_t *)data; + if (!hdr->len || hdr->len > size) + break; + list_for_each_entry(lopt, &ipcp->options, entry) { if (lopt->id == hdr->id) { if (!lopt->h->recv_conf_rej) @@ -542,6 +545,9 @@ static int ipcp_recv_conf_nak(struct ppp_ipcp_t *ipcp, uint8_t *data, int size) while (size > 0) { hdr = (struct ipcp_opt_hdr_t *)data; + if (!hdr->len || hdr->len > size) + break; + list_for_each_entry(lopt, &ipcp->options, entry) { if (lopt->id == hdr->id) { if (conf_ppp_verbose) { @@ -582,6 +588,9 @@ static int ipcp_recv_conf_ack(struct ppp_ipcp_t *ipcp, uint8_t *data, int size) while (size > 0) { hdr = (struct ipcp_opt_hdr_t *)data; + if (!hdr->len || hdr->len > size) + break; + list_for_each_entry(lopt, &ipcp->options, entry) { if (lopt->id == hdr->id) { if (conf_ppp_verbose) { |