diff options
author | Kozlov Dmitry <xeb@mail.ru> | 2012-07-07 16:09:25 +0400 |
---|---|---|
committer | Kozlov Dmitry <xeb@mail.ru> | 2012-07-07 16:09:25 +0400 |
commit | 72c82d4f729e68acab1c91de502cd0c230cbed39 (patch) | |
tree | 12b17f62e3ab0e544767738f46550e307947f753 /accel-pppd | |
parent | 8f09e27527fd88189a66ddf425d30a9f244199bc (diff) | |
download | accel-ppp-72c82d4f729e68acab1c91de502cd0c230cbed39.tar.gz accel-ppp-72c82d4f729e68acab1c91de502cd0c230cbed39.zip |
pppoe: tag length sanity check
Diffstat (limited to 'accel-pppd')
-rw-r--r-- | accel-pppd/ctrl/pppoe/pppoe.c | 20 |
1 files changed, 11 insertions, 9 deletions
diff --git a/accel-pppd/ctrl/pppoe/pppoe.c b/accel-pppd/ctrl/pppoe/pppoe.c index f616ade4..079ef51b 100644 --- a/accel-pppd/ctrl/pppoe/pppoe.c +++ b/accel-pppd/ctrl/pppoe/pppoe.c @@ -771,6 +771,7 @@ static void pppoe_recv_PADI(struct pppoe_serv_t *serv, uint8_t *pack, int size) int n, service_match = 0; struct delayed_pado_t *pado; struct timespec ts; + int len; __sync_add_and_fetch(&stat_PADI_recv, 1); @@ -789,18 +790,14 @@ static void pppoe_recv_PADI(struct pppoe_serv_t *serv, uint8_t *pack, int size) return; } - if (hdr->sid) { - log_warn("pppoe: discarding PADI packet (sid is not zero)\n"); + if (hdr->sid) return; - } - if (conf_verbose) { - log_info2("recv "); - print_packet(pack); - } - - for (n = 0; n < ntohs(hdr->length); n += sizeof(*tag) + ntohs(tag->tag_len)) { + len = ntohs(hdr->length); + for (n = 0; n < len; n += sizeof(*tag) + ntohs(tag->tag_len)) { tag = (struct pppoe_tag *)(pack + ETH_HLEN + sizeof(*hdr) + n); + if (n + sizeof(*tag) + ntohs(tag->tag_len) > len) + return; switch (ntohs(tag->tag_type)) { case TAG_END_OF_LIST: break; @@ -825,6 +822,11 @@ static void pppoe_recv_PADI(struct pppoe_serv_t *serv, uint8_t *pack, int size) } } + if (conf_verbose) { + log_info2("recv "); + print_packet(pack); + } + if (!service_match) { if (conf_verbose) log_warn("pppoe: discarding PADI packet (Service-Name mismatch)\n"); |