diff options
| author | Guillaume Nault <g.nault@alphalink.fr> | 2014-01-16 21:23:58 +0100 |
|---|---|---|
| committer | Dmitry Kozlov <xeb@mail.ru> | 2014-01-17 15:35:27 +0400 |
| commit | 1de8f3bea7317551413e5dec1a9daa420436c769 (patch) | |
| tree | 564b6cfb78397667168d566cbc90033536019d14 /accel-pppd | |
| parent | 01fcf87fe35502f6745137d79f56e618368872eb (diff) | |
| download | accel-ppp-1de8f3bea7317551413e5dec1a9daa420436c769.tar.gz accel-ppp-1de8f3bea7317551413e5dec1a9daa420436c769.zip | |
pppoe: check for tag format validity in PADR messages
Avoid parsing inconsistent PPPoE tags when handling PADR.
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Diffstat (limited to 'accel-pppd')
| -rw-r--r-- | accel-pppd/ctrl/pppoe/pppoe.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/accel-pppd/ctrl/pppoe/pppoe.c b/accel-pppd/ctrl/pppoe/pppoe.c index 9d30c62c..22ddf431 100644 --- a/accel-pppd/ctrl/pppoe/pppoe.c +++ b/accel-pppd/ctrl/pppoe/pppoe.c @@ -927,6 +927,17 @@ static void pppoe_recv_PADR(struct pppoe_serv_t *serv, uint8_t *pack, int size) for (n = 0; n < ntohs(hdr->length); n += sizeof(*tag) + ntohs(tag->tag_len)) { tag = (struct pppoe_tag *)(pack + ETH_HLEN + sizeof(*hdr) + n); + + if (n + sizeof(*tag) > ntohs(hdr->length)) { + if (conf_verbose) + log_warn("pppoe: discard PADR packet (truncated tag)\n"); + return; + } + if (n + sizeof(*tag) + ntohs(tag->tag_len) > ntohs(hdr->length)) { + if (conf_verbose) + log_warn("pppoe: discard PADR packet (invalid tag length)\n"); + return; + } switch (ntohs(tag->tag_type)) { case TAG_END_OF_LIST: break; |