From 9db65ee7acc0e4a42c30250e728ab656e5a4c61a Mon Sep 17 00:00:00 2001
From: Dmitry Kozlov <xeb@mail.ru>
Date: Fri, 9 Jan 2015 21:07:17 +0300
Subject: pppoe: check for tag length in print_packet function (fixes sigsegv)

---
 accel-pppd/ctrl/pppoe/pppoe.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'accel-pppd/ctrl/pppoe')

diff --git a/accel-pppd/ctrl/pppoe/pppoe.c b/accel-pppd/ctrl/pppoe/pppoe.c
index 12c274bb..092f0f32 100644
--- a/accel-pppd/ctrl/pppoe/pppoe.c
+++ b/accel-pppd/ctrl/pppoe/pppoe.c
@@ -487,6 +487,17 @@ static void print_packet(uint8_t *pack)
 
 	for (n = 0; n < ntohs(hdr->length); n += sizeof(*tag) + ntohs(tag->tag_len)) {
 		tag = (struct pppoe_tag *)(pack + ETH_HLEN + sizeof(*hdr) + n);
+
+		if (n + sizeof(*tag) > ntohs(hdr->length)) {
+			log_info2(" ...");
+			break;
+		}
+
+		if (n + sizeof(*tag) + ntohs(tag->tag_len) > ntohs(hdr->length)) {
+			log_info2(" ...");
+			break;
+		}
+
 		switch (ntohs(tag->tag_type)) {
 			case TAG_END_OF_LIST:
 				log_info2(" <End-Of-List>");
-- 
cgit v1.2.3