From 03c5bd91157b042f9d98c1a1f437dadea6b0531a Mon Sep 17 00:00:00 2001
From: Kozlov Dmitry <xeb@mail.ru>
Date: Mon, 10 Oct 2011 10:22:11 +0400
Subject: [PATCH] ppp: options header sanity check

---
 accel-pppd/ppp/ppp_ccp.c    | 24 ++++++++++++++++--------
 accel-pppd/ppp/ppp_ipcp.c   | 21 +++++++++++++++------
 accel-pppd/ppp/ppp_ipv6cp.c | 21 +++++++++++++++------
 accel-pppd/ppp/ppp_lcp.c    | 22 +++++++++++++++-------
 4 files changed, 61 insertions(+), 27 deletions(-)

diff --git a/accel-pppd/ppp/ppp_ccp.c b/accel-pppd/ppp/ppp_ccp.c
index 88adc30..0814ace 100644
--- a/accel-pppd/ppp/ppp_ccp.c
+++ b/accel-pppd/ppp/ppp_ccp.c
@@ -387,20 +387,19 @@ static int ccp_recv_conf_req(struct ppp_ccp_t *ccp, uint8_t *data, int size)
 	while (size > 0) {
 		hdr = (struct ccp_opt_hdr_t *)data;
 
+		if (!hdr->len || hdr->len > size)
+			break;
+
 		ropt = _malloc(sizeof(*ropt));
 		memset(ropt, 0, sizeof(*ropt));
-
-		if (hdr->len > size)
-			ropt->len = size;
-		else
-			ropt->len = hdr->len;
-			
+	
 		ropt->hdr = hdr;
+		ropt->len = hdr->len;
 		ropt->state = CCP_OPT_NONE;
 		list_add_tail(&ropt->entry, &ccp->ropt_list);
 
-		data += ropt->len;
-		size -= ropt->len;
+		data += hdr->len;
+		size -= hdr->len;
 	}
 	
 	if (conf_ppp_verbose)
@@ -483,6 +482,9 @@ static int ccp_recv_conf_rej(struct ppp_ccp_t *ccp, uint8_t *data, int size)
 	while (size > 0) {
 		hdr = (struct ccp_opt_hdr_t *)data;
 		
+		if (!hdr->len || hdr->len > size)
+			break;
+
 		list_for_each_entry(lopt, &ccp->options, entry) {
 			if (lopt->id == hdr->id) {
 				if (!lopt->h->recv_conf_rej)
@@ -521,6 +523,9 @@ static int ccp_recv_conf_nak(struct ppp_ccp_t *ccp, uint8_t *data, int size)
 	while (size > 0) {
 		hdr = (struct ccp_opt_hdr_t *)data;
 		
+		if (!hdr->len || hdr->len > size)
+			break;
+
 		list_for_each_entry(lopt, &ccp->options, entry) {
 			if (lopt->id == hdr->id) {
 				if (conf_ppp_verbose) {
@@ -561,6 +566,9 @@ static int ccp_recv_conf_ack(struct ppp_ccp_t *ccp, uint8_t *data, int size)
 	while (size > 0) {
 		hdr = (struct ccp_opt_hdr_t *)data;
 		
+		if (!hdr->len || hdr->len > size)
+			break;
+
 		list_for_each_entry(lopt, &ccp->options, entry) {
 			if (lopt->id == hdr->id) {
 				if (conf_ppp_verbose) {
diff --git a/accel-pppd/ppp/ppp_ipcp.c b/accel-pppd/ppp/ppp_ipcp.c
index aee0317..6de79a2 100644
--- a/accel-pppd/ppp/ppp_ipcp.c
+++ b/accel-pppd/ppp/ppp_ipcp.c
@@ -392,19 +392,19 @@ static int ipcp_recv_conf_req(struct ppp_ipcp_t *ipcp, uint8_t *data, int size)
 	while (size > 0) {
 		hdr = (struct ipcp_opt_hdr_t *)data;
 
+		if (!hdr->len || hdr->len > size)
+			break;
+
 		ropt = _malloc(sizeof(*ropt));
 		memset(ropt, 0, sizeof(*ropt));
 
-		if (hdr->len > size)
-			ropt->len = size;
-		else
-			ropt->len = hdr->len;
 		ropt->hdr = hdr;
+		ropt->len = hdr->len;
 		ropt->state = IPCP_OPT_NONE;
 		list_add_tail(&ropt->entry, &ipcp->ropt_list);
 
-		data += ropt->len;
-		size -= ropt->len;
+		data += hdr->len;
+		size -= hdr->len;
 	}
 	
 	list_for_each_entry(lopt, &ipcp->options, entry)
@@ -504,6 +504,9 @@ static int ipcp_recv_conf_rej(struct ppp_ipcp_t *ipcp, uint8_t *data, int size)
 	while (size > 0) {
 		hdr = (struct ipcp_opt_hdr_t *)data;
 		
+		if (!hdr->len || hdr->len > size)
+			break;
+
 		list_for_each_entry(lopt, &ipcp->options, entry) {
 			if (lopt->id == hdr->id) {
 				if (!lopt->h->recv_conf_rej)
@@ -542,6 +545,9 @@ static int ipcp_recv_conf_nak(struct ppp_ipcp_t *ipcp, uint8_t *data, int size)
 	while (size > 0) {
 		hdr = (struct ipcp_opt_hdr_t *)data;
 		
+		if (!hdr->len || hdr->len > size)
+			break;
+
 		list_for_each_entry(lopt, &ipcp->options, entry) {
 			if (lopt->id == hdr->id) {
 				if (conf_ppp_verbose) {
@@ -582,6 +588,9 @@ static int ipcp_recv_conf_ack(struct ppp_ipcp_t *ipcp, uint8_t *data, int size)
 	while (size > 0) {
 		hdr = (struct ipcp_opt_hdr_t *)data;
 		
+		if (!hdr->len || hdr->len > size)
+			break;
+
 		list_for_each_entry(lopt, &ipcp->options, entry) {
 			if (lopt->id == hdr->id) {
 				if (conf_ppp_verbose) {
diff --git a/accel-pppd/ppp/ppp_ipv6cp.c b/accel-pppd/ppp/ppp_ipv6cp.c
index a984e43..33cb11d 100644
--- a/accel-pppd/ppp/ppp_ipv6cp.c
+++ b/accel-pppd/ppp/ppp_ipv6cp.c
@@ -392,19 +392,19 @@ static int ipv6cp_recv_conf_req(struct ppp_ipv6cp_t *ipv6cp, uint8_t *data, int
 	while (size > 0) {
 		hdr = (struct ipv6cp_opt_hdr_t *)data;
 
+		if (!hdr->len || hdr->len > size)
+			break;
+
 		ropt = _malloc(sizeof(*ropt));
 		memset(ropt, 0, sizeof(*ropt));
 
-		if (hdr->len > size)
-			ropt->len = size;
-		else
-			ropt->len = hdr->len;
 		ropt->hdr = hdr;
+		ropt->len = hdr->len;
 		ropt->state = IPV6CP_OPT_NONE;
 		list_add_tail(&ropt->entry, &ipv6cp->ropt_list);
 
-		data += ropt->len;
-		size -= ropt->len;
+		data += hdr->len;
+		size -= hdr->len;
 	}
 	
 	list_for_each_entry(lopt, &ipv6cp->options, entry)
@@ -504,6 +504,9 @@ static int ipv6cp_recv_conf_rej(struct ppp_ipv6cp_t *ipv6cp, uint8_t *data, int
 	while (size > 0) {
 		hdr = (struct ipv6cp_opt_hdr_t *)data;
 		
+		if (!hdr->len || hdr->len > size)
+			break;
+
 		list_for_each_entry(lopt, &ipv6cp->options, entry) {
 			if (lopt->id == hdr->id) {
 				if (!lopt->h->recv_conf_rej)
@@ -542,6 +545,9 @@ static int ipv6cp_recv_conf_nak(struct ppp_ipv6cp_t *ipv6cp, uint8_t *data, int
 	while (size > 0) {
 		hdr = (struct ipv6cp_opt_hdr_t *)data;
 		
+		if (!hdr->len || hdr->len > size)
+			break;
+
 		list_for_each_entry(lopt, &ipv6cp->options, entry) {
 			if (lopt->id == hdr->id) {
 				if (conf_ppp_verbose) {
@@ -582,6 +588,9 @@ static int ipv6cp_recv_conf_ack(struct ppp_ipv6cp_t *ipv6cp, uint8_t *data, int
 	while (size > 0) {
 		hdr = (struct ipv6cp_opt_hdr_t *)data;
 		
+		if (!hdr->len || hdr->len > size)
+			break;
+
 		list_for_each_entry(lopt, &ipv6cp->options, entry) {
 			if (lopt->id == hdr->id) {
 				if (conf_ppp_verbose) {
diff --git a/accel-pppd/ppp/ppp_lcp.c b/accel-pppd/ppp/ppp_lcp.c
index fa23436..78a145a 100644
--- a/accel-pppd/ppp/ppp_lcp.c
+++ b/accel-pppd/ppp/ppp_lcp.c
@@ -368,20 +368,19 @@ static int lcp_recv_conf_req(struct ppp_lcp_t *lcp, uint8_t *data, int size)
 	while (size > 0) {
 		hdr = (struct lcp_opt_hdr_t *)data;
 
+		if (!hdr->len || hdr->len > size)
+			break;
+
 		ropt = _malloc(sizeof(*ropt));
 		memset(ropt, 0, sizeof(*ropt));
 
-		if (hdr->len > size)
-			ropt->len = size;
-		else
-			ropt->len = hdr->len;
-
 		ropt->hdr = hdr;
+		ropt->len = hdr->len;
 		ropt->state = LCP_OPT_NONE;
 		list_add_tail(&ropt->entry, &lcp->ropt_list);
 
-		data += ropt->len;
-		size -= ropt->len;
+		data += hdr->len;
+		size -= hdr->len;
 	}
 	
 	list_for_each_entry(lopt, &lcp->options, entry)
@@ -460,6 +459,9 @@ static int lcp_recv_conf_rej(struct ppp_lcp_t *lcp, uint8_t *data, int size)
 
 	while (size > 0) {
 		hdr = (struct lcp_opt_hdr_t *)data;
+
+		if (!hdr->len || hdr->len > size)
+			break;
 		
 		list_for_each_entry(lopt, &lcp->options, entry) {
 			if (lopt->id == hdr->id) {
@@ -502,6 +504,9 @@ static int lcp_recv_conf_nak(struct ppp_lcp_t *lcp, uint8_t *data, int size)
 
 	while (size > 0) {
 		hdr = (struct lcp_opt_hdr_t *)data;
+
+		if (!hdr->len || hdr->len > size)
+			break;
 		
 		list_for_each_entry(lopt,&lcp->options,entry) {
 			if (lopt->id == hdr->id) {
@@ -542,6 +547,9 @@ static int lcp_recv_conf_ack(struct ppp_lcp_t *lcp, uint8_t *data, int size)
 
 	while (size > 0) {
 		hdr = (struct lcp_opt_hdr_t *)data;
+
+		if (!hdr->len || hdr->len > size)
+			break;
 		
 		list_for_each_entry(lopt, &lcp->options, entry) {
 			if (lopt->id == hdr->id) {
-- 
GitLab