From 2405fd6ba52618f07c0fa11d85c0f039653678bc Mon Sep 17 00:00:00 2001
From: Kozlov Dmitry <xeb@mail.ru>
Date: Thu, 6 Oct 2011 21:28:48 +0400
Subject: ppp: options header sanity check

---
 accel-pppd/ppp/ppp_ipv6cp.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

(limited to 'accel-pppd/ppp/ppp_ipv6cp.c')

diff --git a/accel-pppd/ppp/ppp_ipv6cp.c b/accel-pppd/ppp/ppp_ipv6cp.c
index a984e43a..5479f316 100644
--- a/accel-pppd/ppp/ppp_ipv6cp.c
+++ b/accel-pppd/ppp/ppp_ipv6cp.c
@@ -392,13 +392,12 @@ static int ipv6cp_recv_conf_req(struct ppp_ipv6cp_t *ipv6cp, uint8_t *data, int
 	while (size > 0) {
 		hdr = (struct ipv6cp_opt_hdr_t *)data;
 
+		if (!hdr->len || hdr->len > size)
+			break;
+
 		ropt = _malloc(sizeof(*ropt));
 		memset(ropt, 0, sizeof(*ropt));
 
-		if (hdr->len > size)
-			ropt->len = size;
-		else
-			ropt->len = hdr->len;
 		ropt->hdr = hdr;
 		ropt->state = IPV6CP_OPT_NONE;
 		list_add_tail(&ropt->entry, &ipv6cp->ropt_list);
@@ -504,6 +503,9 @@ static int ipv6cp_recv_conf_rej(struct ppp_ipv6cp_t *ipv6cp, uint8_t *data, int
 	while (size > 0) {
 		hdr = (struct ipv6cp_opt_hdr_t *)data;
 		
+		if (!hdr->len || hdr->len > size)
+			break;
+
 		list_for_each_entry(lopt, &ipv6cp->options, entry) {
 			if (lopt->id == hdr->id) {
 				if (!lopt->h->recv_conf_rej)
@@ -542,6 +544,9 @@ static int ipv6cp_recv_conf_nak(struct ppp_ipv6cp_t *ipv6cp, uint8_t *data, int
 	while (size > 0) {
 		hdr = (struct ipv6cp_opt_hdr_t *)data;
 		
+		if (!hdr->len || hdr->len > size)
+			break;
+
 		list_for_each_entry(lopt, &ipv6cp->options, entry) {
 			if (lopt->id == hdr->id) {
 				if (conf_ppp_verbose) {
@@ -582,6 +587,9 @@ static int ipv6cp_recv_conf_ack(struct ppp_ipv6cp_t *ipv6cp, uint8_t *data, int
 	while (size > 0) {
 		hdr = (struct ipv6cp_opt_hdr_t *)data;
 		
+		if (!hdr->len || hdr->len > size)
+			break;
+
 		list_for_each_entry(lopt, &ipv6cp->options, entry) {
 			if (lopt->id == hdr->id) {
 				if (conf_ppp_verbose) {
-- 
cgit v1.2.3