diff options
| author | Kozlov Dmitry <xeb@mail.ru> | 2011-10-06 21:28:48 +0400 |
|---|---|---|
| committer | Kozlov Dmitry <xeb@mail.ru> | 2011-10-06 21:28:48 +0400 |
| commit | 2405fd6ba52618f07c0fa11d85c0f039653678bc (patch) | |
| tree | 0cc55d1368d3be31df0cc1370854ee891f4b88c6 /accel-pppd | |
| parent | a8462baac3790dfa8f1c6b3cb715de0ec4fcbe74 (diff) | |
| download | accel-ppp-2405fd6ba52618f07c0fa11d85c0f039653678bc.tar.gz accel-ppp-2405fd6ba52618f07c0fa11d85c0f039653678bc.zip | |
ppp: options header sanity check
Diffstat (limited to 'accel-pppd')
| -rw-r--r-- | accel-pppd/ppp/ppp_ccp.c | 17 | ||||
| -rw-r--r-- | accel-pppd/ppp/ppp_ipcp.c | 20 | ||||
| -rw-r--r-- | accel-pppd/ppp/ppp_ipv6cp.c | 16 | ||||
| -rw-r--r-- | accel-pppd/ppp/ppp_lcp.c | 17 |
4 files changed, 51 insertions, 19 deletions
diff --git a/accel-pppd/ppp/ppp_ccp.c b/accel-pppd/ppp/ppp_ccp.c index 88adc30b..6b97215c 100644 --- a/accel-pppd/ppp/ppp_ccp.c +++ b/accel-pppd/ppp/ppp_ccp.c @@ -387,14 +387,12 @@ static int ccp_recv_conf_req(struct ppp_ccp_t *ccp, uint8_t *data, int size) while (size > 0) { hdr = (struct ccp_opt_hdr_t *)data; + if (!hdr->len || hdr->len > size) + break; + ropt = _malloc(sizeof(*ropt)); memset(ropt, 0, sizeof(*ropt)); - if (hdr->len > size) - ropt->len = size; - else - ropt->len = hdr->len; - ropt->hdr = hdr; ropt->state = CCP_OPT_NONE; list_add_tail(&ropt->entry, &ccp->ropt_list); @@ -483,6 +481,9 @@ static int ccp_recv_conf_rej(struct ppp_ccp_t *ccp, uint8_t *data, int size) while (size > 0) { hdr = (struct ccp_opt_hdr_t *)data; + if (!hdr->len || hdr->len > size) + break; + list_for_each_entry(lopt, &ccp->options, entry) { if (lopt->id == hdr->id) { if (!lopt->h->recv_conf_rej) @@ -521,6 +522,9 @@ static int ccp_recv_conf_nak(struct ppp_ccp_t *ccp, uint8_t *data, int size) while (size > 0) { hdr = (struct ccp_opt_hdr_t *)data; + if (!hdr->len || hdr->len > size) + break; + list_for_each_entry(lopt, &ccp->options, entry) { if (lopt->id == hdr->id) { if (conf_ppp_verbose) { @@ -561,6 +565,9 @@ static int ccp_recv_conf_ack(struct ppp_ccp_t *ccp, uint8_t *data, int size) while (size > 0) { hdr = (struct ccp_opt_hdr_t *)data; + if (!hdr->len || hdr->len > size) + break; + list_for_each_entry(lopt, &ccp->options, entry) { if (lopt->id == hdr->id) { if (conf_ppp_verbose) { diff --git a/accel-pppd/ppp/ppp_ipcp.c b/accel-pppd/ppp/ppp_ipcp.c index aee0317d..63818e8c 100644 --- a/accel-pppd/ppp/ppp_ipcp.c +++ b/accel-pppd/ppp/ppp_ipcp.c @@ -392,13 +392,14 @@ static int ipcp_recv_conf_req(struct ppp_ipcp_t *ipcp, uint8_t *data, int size) while (size > 0) { hdr = (struct ipcp_opt_hdr_t *)data; + if (!hdr->len || hdr->len > size) + break; + ropt = _malloc(sizeof(*ropt)); memset(ropt, 0, sizeof(*ropt)); - if (hdr->len > size) - ropt->len = size; - else - ropt->len = hdr->len; + ropt->len = hdr->len; + ropt->hdr = hdr; ropt->state = IPCP_OPT_NONE; list_add_tail(&ropt->entry, &ipcp->ropt_list); @@ -503,7 +504,10 @@ static int ipcp_recv_conf_rej(struct ppp_ipcp_t *ipcp, uint8_t *data, int size) while (size > 0) { hdr = (struct ipcp_opt_hdr_t *)data; - + + if (!hdr->len || hdr->len > size) + break; + list_for_each_entry(lopt, &ipcp->options, entry) { if (lopt->id == hdr->id) { if (!lopt->h->recv_conf_rej) @@ -542,6 +546,9 @@ static int ipcp_recv_conf_nak(struct ppp_ipcp_t *ipcp, uint8_t *data, int size) while (size > 0) { hdr = (struct ipcp_opt_hdr_t *)data; + if (!hdr->len || hdr->len > size) + break; + list_for_each_entry(lopt, &ipcp->options, entry) { if (lopt->id == hdr->id) { if (conf_ppp_verbose) { @@ -582,6 +589,9 @@ static int ipcp_recv_conf_ack(struct ppp_ipcp_t *ipcp, uint8_t *data, int size) while (size > 0) { hdr = (struct ipcp_opt_hdr_t *)data; + if (!hdr->len || hdr->len > size) + break; + list_for_each_entry(lopt, &ipcp->options, entry) { if (lopt->id == hdr->id) { if (conf_ppp_verbose) { diff --git a/accel-pppd/ppp/ppp_ipv6cp.c b/accel-pppd/ppp/ppp_ipv6cp.c index a984e43a..5479f316 100644 --- a/accel-pppd/ppp/ppp_ipv6cp.c +++ b/accel-pppd/ppp/ppp_ipv6cp.c @@ -392,13 +392,12 @@ static int ipv6cp_recv_conf_req(struct ppp_ipv6cp_t *ipv6cp, uint8_t *data, int while (size > 0) { hdr = (struct ipv6cp_opt_hdr_t *)data; + if (!hdr->len || hdr->len > size) + break; + ropt = _malloc(sizeof(*ropt)); memset(ropt, 0, sizeof(*ropt)); - if (hdr->len > size) - ropt->len = size; - else - ropt->len = hdr->len; ropt->hdr = hdr; ropt->state = IPV6CP_OPT_NONE; list_add_tail(&ropt->entry, &ipv6cp->ropt_list); @@ -504,6 +503,9 @@ static int ipv6cp_recv_conf_rej(struct ppp_ipv6cp_t *ipv6cp, uint8_t *data, int while (size > 0) { hdr = (struct ipv6cp_opt_hdr_t *)data; + if (!hdr->len || hdr->len > size) + break; + list_for_each_entry(lopt, &ipv6cp->options, entry) { if (lopt->id == hdr->id) { if (!lopt->h->recv_conf_rej) @@ -542,6 +544,9 @@ static int ipv6cp_recv_conf_nak(struct ppp_ipv6cp_t *ipv6cp, uint8_t *data, int while (size > 0) { hdr = (struct ipv6cp_opt_hdr_t *)data; + if (!hdr->len || hdr->len > size) + break; + list_for_each_entry(lopt, &ipv6cp->options, entry) { if (lopt->id == hdr->id) { if (conf_ppp_verbose) { @@ -582,6 +587,9 @@ static int ipv6cp_recv_conf_ack(struct ppp_ipv6cp_t *ipv6cp, uint8_t *data, int while (size > 0) { hdr = (struct ipv6cp_opt_hdr_t *)data; + if (!hdr->len || hdr->len > size) + break; + list_for_each_entry(lopt, &ipv6cp->options, entry) { if (lopt->id == hdr->id) { if (conf_ppp_verbose) { diff --git a/accel-pppd/ppp/ppp_lcp.c b/accel-pppd/ppp/ppp_lcp.c index fa23436d..955b859d 100644 --- a/accel-pppd/ppp/ppp_lcp.c +++ b/accel-pppd/ppp/ppp_lcp.c @@ -368,14 +368,12 @@ static int lcp_recv_conf_req(struct ppp_lcp_t *lcp, uint8_t *data, int size) while (size > 0) { hdr = (struct lcp_opt_hdr_t *)data; + if (!hdr->len || hdr->len > size) + break; + ropt = _malloc(sizeof(*ropt)); memset(ropt, 0, sizeof(*ropt)); - if (hdr->len > size) - ropt->len = size; - else - ropt->len = hdr->len; - ropt->hdr = hdr; ropt->state = LCP_OPT_NONE; list_add_tail(&ropt->entry, &lcp->ropt_list); @@ -461,6 +459,9 @@ static int lcp_recv_conf_rej(struct ppp_lcp_t *lcp, uint8_t *data, int size) while (size > 0) { hdr = (struct lcp_opt_hdr_t *)data; + if (!hdr->len || hdr->len > size) + break; + list_for_each_entry(lopt, &lcp->options, entry) { if (lopt->id == hdr->id) { if (conf_ppp_verbose) { @@ -503,6 +504,9 @@ static int lcp_recv_conf_nak(struct ppp_lcp_t *lcp, uint8_t *data, int size) while (size > 0) { hdr = (struct lcp_opt_hdr_t *)data; + if (!hdr->len || hdr->len > size) + break; + list_for_each_entry(lopt,&lcp->options,entry) { if (lopt->id == hdr->id) { if (conf_ppp_verbose) { @@ -543,6 +547,9 @@ static int lcp_recv_conf_ack(struct ppp_lcp_t *lcp, uint8_t *data, int size) while (size > 0) { hdr = (struct lcp_opt_hdr_t *)data; + if (!hdr->len || hdr->len > size) + break; + list_for_each_entry(lopt, &lcp->options, entry) { if (lopt->id == hdr->id) { if (conf_ppp_verbose) { |