summaryrefslogtreecommitdiff
path: root/accel-pppd/ctrl/pppoe/pppoe.c
diff options
context:
space:
mode:
Diffstat (limited to 'accel-pppd/ctrl/pppoe/pppoe.c')
-rw-r--r--accel-pppd/ctrl/pppoe/pppoe.c11
1 files changed, 11 insertions, 0 deletions
diff --git a/accel-pppd/ctrl/pppoe/pppoe.c b/accel-pppd/ctrl/pppoe/pppoe.c
index a272dc0..56436ef 100644
--- a/accel-pppd/ctrl/pppoe/pppoe.c
+++ b/accel-pppd/ctrl/pppoe/pppoe.c
@@ -921,6 +921,17 @@ static void pppoe_recv_PADR(struct pppoe_serv_t *serv, uint8_t *pack, int size)
for (n = 0; n < ntohs(hdr->length); n += sizeof(*tag) + ntohs(tag->tag_len)) {
tag = (struct pppoe_tag *)(pack + ETH_HLEN + sizeof(*hdr) + n);
+
+ if (n + sizeof(*tag) > ntohs(hdr->length)) {
+ if (conf_verbose)
+ log_warn("pppoe: discard PADR packet (truncated tag)\n");
+ return;
+ }
+ if (n + sizeof(*tag) + ntohs(tag->tag_len) > ntohs(hdr->length)) {
+ if (conf_verbose)
+ log_warn("pppoe: discard PADR packet (invalid tag length)\n");
+ return;
+ }
switch (ntohs(tag->tag_type)) {
case TAG_END_OF_LIST:
break;
generated by cgit v1.2.3 (git 2.39.1) at 2024-10-16 18:51:32 +0000