Date: Wed, 10 Jun 2026 13:52:33 +0000 From: John Baldwin <jhb@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 4d8fde8cff07 - main - ppp: Reject FSM messages whose length is smaller than the message header Message-ID: <6a296c21.1f806.54e3558@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch main has been updated by jhb: URL: https://cgit.FreeBSD.org/src/commit/?id=4d8fde8cff0796f32e659036543aa17d16a15b1b commit 4d8fde8cff0796f32e659036543aa17d16a15b1b Author: John Baldwin <jhb@FreeBSD.org> AuthorDate: 2026-06-10 13:44:10 +0000 Commit: John Baldwin <jhb@FreeBSD.org> CommitDate: 2026-06-10 13:44:10 +0000 ppp: Reject FSM messages whose length is smaller than the message header PR: 271843 Reported by: Robert Morris <rtm@lcs.mit.edu> Reviewed by: des, emaste Differential Revision: https://reviews.freebsd.org/D57139 --- usr.sbin/ppp/fsm.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/usr.sbin/ppp/fsm.c b/usr.sbin/ppp/fsm.c index 5c011bef7f4f..060a9149a6af 100644 --- a/usr.sbin/ppp/fsm.c +++ b/usr.sbin/ppp/fsm.c @@ -1060,6 +1060,12 @@ fsm_Input(struct fsm *fp, struct mbuf *bp) m_freem(bp); return; } + if (ntohs(lh.length) < sizeof(lh)) { + log_Printf(LogWARN, "%s: Header length %d is too small - dropped\n", + fp->link->name, (int)ntohs(lh.length)); + m_freem(bp); + return; + } if (lh.code < fp->min_code || lh.code > fp->max_code || lh.code > sizeof FsmCodes / sizeof *FsmCodes) {home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6a296c21.1f806.54e3558>