1 files changed, 12 insertions, 5 deletions

diff --git a/accel-pppd/ppp/ppp_ccp.c b/accel-pppd/ppp/ppp_ccp.c
index 88adc30b..6b97215c 100644
--- a/accel-pppd/ppp/ppp_ccp.c
+++ b/accel-pppd/ppp/ppp_ccp.c
@@ -387,14 +387,12 @@ static int ccp_recv_conf_req(struct ppp_ccp_t *ccp, uint8_t *data, int size)
 	while (size > 0) {
 		hdr = (struct ccp_opt_hdr_t *)data;
 
+		if (!hdr->len || hdr->len > size)
+			break;
+
 		ropt = _malloc(sizeof(*ropt));
 		memset(ropt, 0, sizeof(*ropt));
 
-		if (hdr->len > size)
-			ropt->len = size;
-		else
-			ropt->len = hdr->len;
-			
 		ropt->hdr = hdr;
 		ropt->state = CCP_OPT_NONE;
 		list_add_tail(&ropt->entry, &ccp->ropt_list);
@@ -483,6 +481,9 @@ static int ccp_recv_conf_rej(struct ppp_ccp_t *ccp, uint8_t *data, int size)
 	while (size > 0) {
 		hdr = (struct ccp_opt_hdr_t *)data;
 		
+		if (!hdr->len || hdr->len > size)
+			break;
+
 		list_for_each_entry(lopt, &ccp->options, entry) {
 			if (lopt->id == hdr->id) {
 				if (!lopt->h->recv_conf_rej)
@@ -521,6 +522,9 @@ static int ccp_recv_conf_nak(struct ppp_ccp_t *ccp, uint8_t *data, int size)
 	while (size > 0) {
 		hdr = (struct ccp_opt_hdr_t *)data;
 		
+		if (!hdr->len || hdr->len > size)
+			break;
+
 		list_for_each_entry(lopt, &ccp->options, entry) {
 			if (lopt->id == hdr->id) {
 				if (conf_ppp_verbose) {
@@ -561,6 +565,9 @@ static int ccp_recv_conf_ack(struct ppp_ccp_t *ccp, uint8_t *data, int size)
 	while (size > 0) {
 		hdr = (struct ccp_opt_hdr_t *)data;
 		
+		if (!hdr->len || hdr->len > size)
+			break;
+
 		list_for_each_entry(lopt, &ccp->options, entry) {
 			if (lopt->id == hdr->id) {
 				if (conf_ppp_verbose) {