pppoe: check for tag format validity in PADR messages

Avoid parsing inconsistent PPPoE tags when handling PADR. Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
author: Guillaume Nault <g.nault@alphalink.fr> 2014-01-16 21:23:58 +0100
committer: Dmitry Kozlov <xeb@mail.ru> 2014-02-08 09:45:39 +0400
commit: 0e63419ea36db3a8d673997f1ff74309b9cb77f2 (patch)
tree: 95aea6347c03fee715d86cadfc1dd3cd9d9b4867 /accel-pppd
parent: 65be5ebef989e62091368c7457ad33f1e8d63ead (diff)
download: accel-ppp-xebd-0e63419ea36db3a8d673997f1ff74309b9cb77f2.tar.gz
accel-ppp-xebd-0e63419ea36db3a8d673997f1ff74309b9cb77f2.zip
1 files changed, 11 insertions, 0 deletions
diff --git a/accel-pppd/ctrl/pppoe/pppoe.c b/accel-pppd/ctrl/pppoe/pppoe.c
index a272dc0..56436ef 100644
--- a/accel-pppd/ctrl/pppoe/pppoe.c
+++ b/accel-pppd/ctrl/pppoe/pppoe.c
@@ -921,6 +921,17 @@ static void pppoe_recv_PADR(struct pppoe_serv_t *serv, uint8_t *pack, int size)
 	
 	for (n = 0; n < ntohs(hdr->length); n += sizeof(*tag) + ntohs(tag->tag_len)) {
 		tag = (struct pppoe_tag *)(pack + ETH_HLEN + sizeof(*hdr) + n);
+
+		if (n + sizeof(*tag) > ntohs(hdr->length)) {
+			if (conf_verbose)
+				log_warn("pppoe: discard PADR packet (truncated tag)\n");
+			return;
+		}
+		if (n + sizeof(*tag) + ntohs(tag->tag_len) > ntohs(hdr->length)) {
+			if (conf_verbose)
+				log_warn("pppoe: discard PADR packet (invalid tag length)\n");
+			return;
+		}
 		switch (ntohs(tag->tag_type)) {
 			case TAG_END_OF_LIST:
 				break;
author	Guillaume Nault <g.nault@alphalink.fr>	2014-01-16 21:23:58 +0100
committer	Dmitry Kozlov <xeb@mail.ru>	2014-02-08 09:45:39 +0400
commit	0e63419ea36db3a8d673997f1ff74309b9cb77f2 (patch)
tree	95aea6347c03fee715d86cadfc1dd3cd9d9b4867 /accel-pppd
parent	65be5ebef989e62091368c7457ad33f1e8d63ead (diff)
download	accel-ppp-xebd-0e63419ea36db3a8d673997f1ff74309b9cb77f2.tar.gz accel-ppp-xebd-0e63419ea36db3a8d673997f1ff74309b9cb77f2.zip