Date: Wed, 20 May 2026 19:48:47 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 271843] ppp can crash due to wrapping subtract in FsmRecvEchoReq() Message-ID: <bug-271843-227-MnJgVncFdJ@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-271843-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | previous in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=271843 John Baldwin <jhb@FreeBSD.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jhb@FreeBSD.org Status|New |In Progress Assignee|bugs@FreeBSD.org |jhb@FreeBSD.org --- Comment #1 from John Baldwin <jhb@FreeBSD.org> --- Hmm, looking at the code in question, almost all of the fsm handlers have this bug in one form or fashion, e.g.: static void FsmRecvConfigReq(struct fsm *fp, struct fsmheader *lhp, struct mbuf *bp) /* RCR */ { struct fsm_decode dec; int plen, flen; int ackaction = 0; u_char *cp; bp = m_pullup(bp); plen = m_length(bp); flen = ntohs(lhp->length) - sizeof *lhp; if (plen < flen) { log_Printf(LogWARN, "%s: FsmRecvConfigReq: plen (%d) < flen (%d)\n", fp->link->name, plen, flen); m_freem(bp); return; } It seems to me that probably fsm_Input should reject any message whose length is less than the size of the header. It already does this if the packet is too small, and I think that will fix this type of bug in multiple handlers, not just FsmRecvEchoReq(). -- You are receiving this mail because: You are the assignee for the bug.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-271843-227-MnJgVncFdJ>