From nobody Mon Jun 8 13:52:37 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gYtlT3QFGz6g5qX for ; Mon, 08 Jun 2026 13:52:37 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gYtlT2XZ5z48P3 for ; Mon, 08 Jun 2026 13:52:37 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1780926757; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=4x10OKs080WGHugXyjzshQAaRyEcfJXFTvBq6Qw0hKE=; b=ZJHkH/Is2sKrFJF9oom4NG+m8Y74gGBb/ZQGr9Iya1lDtMClqmYSrXuYjC2dzQmRM5Izk0 7yTQDpEYtvKWkgKziJlIJgXuW/9J7SWCuTmjCDbBxsMxPG4U8lYiI6EWLPiP5gVrux/N/0 lRwhHkvUs+QNxSVrf5rQRJq1a/Pyji1YLxjjb6F/dsoqNoYO/Jt2zXzRCrdr3N1V4IH0a/ nBdS+fajBkpNK1KY8ZrwHHtqLHXNAGZVkFNbX25tdY6FZCFwSoD4NFGH0BYaL17kOl9h+f 9qJTEx22Wg5DHZGInFE9xiQldBkkkqxgMkYlm7Lr7O5qFUWjLuaYfVVZPH3fgw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1780926757; a=rsa-sha256; cv=none; b=lM7bUDV1r6OT08UTNrTKLEAKqbu97Sy8zQKxbSijhLydVK4hqXfE53YnHkvhhJm9lIt8IX 5PUxVDivPnN0qsgt+pD3GHcCbhnGBKu7SpR4HHfDOIkQ4wVdMznK395FdI9qIC9Mo8QHt2 au7nJcKMghvF/QIuMlQ32YGC8TVy8MRwVuGVpUX4wPStGnCy+c/z918Ij1OMJf9PhL5Adq gBQ09+xYANk+eDvBrxRAuKnCj6Ya/6BDGGFOMeVr8bpG1/xx+FgANbuHmMrexeBaod5u3K xknrse99rafBwEUVoYjYsdvhh/i2a+IR9afk97fZ6dfK4kNywjPZMW0VwTVRbA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1780926757; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=4x10OKs080WGHugXyjzshQAaRyEcfJXFTvBq6Qw0hKE=; b=x/QII9xyNKjtKT60ky4HUpYgQq1XtrLaYfYGllCfW45ip2wPVPcmtvUC/KVknqYVNU5YOh aG3sdZM8H5spzgaCUBzPt8VqJg7klhopmk9RBpt21xdFRt6FhiDrYqAQFzgSZbfSoGE78g CV2O0aYfvScZVH8U7KH67gVf4Ls55J2gW27o2FjA6w0KbZhWywZ5rLzPa9yXCPJ/auq/lr jeokWNUpEv5QOOgqR1zQPCQsFlDoBb/s+TP7cw3eszLWL0Fg5T6iWw6mOTmaSn3eOGfeoh yUO9QKv1RdkeUPwoJ2g+tEvRymIFivoHLJDBopvXRlI8hpPas+/iW+NVzlzgbQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gYtlT0hMFzrVN for ; Mon, 08 Jun 2026 13:52:37 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 43353 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Mon, 08 Jun 2026 13:52:37 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Cy Schubert Subject: git: 37e9d3641ba0 - main - ipfilter: Fix ip_pptp_pxy (PPTP proxy) length underflow List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: cy X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 37e9d3641ba0e0da0d2bbaa26a59ee56a8cf3ee6 Auto-Submitted: auto-generated Date: Mon, 08 Jun 2026 13:52:37 +0000 Message-Id: <6a26c925.43353.7c441902@gitrepo.freebsd.org> The branch main has been updated by cy: URL: https://cgit.FreeBSD.org/src/commit/?id=37e9d3641ba0e0da0d2bbaa26a59ee56a8cf3ee6 commit 37e9d3641ba0e0da0d2bbaa26a59ee56a8cf3ee6 Author: Cy Schubert AuthorDate: 2026-05-29 06:17:39 +0000 Commit: Cy Schubert CommitDate: 2026-06-08 13:51:24 +0000 ipfilter: Fix ip_pptp_pxy (PPTP proxy) length underflow A PPTP client sending a specially crafted PPTP message with a length smaller than the already processed fixed header can panic the system. This resultes in a negative remaining length (a large unsigned 16-bit number). Reported by: Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM-5.1 from Z.ai MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D57383 --- sys/netpfil/ipfilter/netinet/ip_pptp_pxy.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/sys/netpfil/ipfilter/netinet/ip_pptp_pxy.c b/sys/netpfil/ipfilter/netinet/ip_pptp_pxy.c index dc4c67dc14f0..95eaf78bd575 100644 --- a/sys/netpfil/ipfilter/netinet/ip_pptp_pxy.c +++ b/sys/netpfil/ipfilter/netinet/ip_pptp_pxy.c @@ -318,7 +318,9 @@ ipf_p_pptp_nextmessage(fr_info_t *fin, nat_t *nat, pptp_pxy_t *pptp, int rev) * it should match 1a2b3c4d. Byte order is ignored, * deliberately, when printing out the error. */ - len = MIN(8 - pptps->pptps_bytes, dlen); + if (pptps->pptps_bytes >= 8) + return (-1); + len = MIN((size_t)(8 - pptps->pptps_bytes), dlen); COPYDATA(fin->fin_m, off, len, pptps->pptps_wptr); pptps->pptps_bytes += len; pptps->pptps_wptr += len; @@ -361,7 +363,9 @@ ipf_p_pptp_nextmessage(fr_info_t *fin, nat_t *nat, pptp_pxy_t *pptp, int rev) } } - len = MIN(pptps->pptps_len - pptps->pptps_bytes, dlen); + if (pptps->pptps_len <= pptps->pptps_bytes) + return (-1); + len = MIN((size_t)(pptps->pptps_len - pptps->pptps_bytes), dlen); COPYDATA(fin->fin_m, off, len, pptps->pptps_wptr); pptps->pptps_bytes += len; pptps->pptps_wptr += len;