diff options
| author | YASUOKA Masahiko <yasuoka@cvs.openbsd.org> | 2014-12-01 06:55:06 +0000 |
|---|---|---|
| committer | YASUOKA Masahiko <yasuoka@cvs.openbsd.org> | 2014-12-01 06:55:06 +0000 |
| commit | 00f47cefb6f6e935067493e92e1cd1b696b3f085 (patch) | |
| tree | e7774f151cf969084bab4b7f6109ebfd8cbcf93e /sys/net | |
| parent | 9abdf4d3fd3dbf6d3aaecfe7a1199c3d3b7fbb31 (diff) | |
Check the header fields of GRE and MPPE packets strictly.
Diffstat (limited to 'sys/net')
| -rw-r--r-- | sys/net/pipex.c | 16 | ||||
| -rw-r--r-- | sys/net/pipex_local.h | 5 |
2 files changed, 17 insertions, 4 deletions
diff --git a/sys/net/pipex.c b/sys/net/pipex.c index 1bea9f010e9..2021eebbf93 100644 --- a/sys/net/pipex.c +++ b/sys/net/pipex.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pipex.c,v 1.63 2014/11/20 14:51:42 krw Exp $ */ +/* $OpenBSD: pipex.c,v 1.64 2014/12/01 06:55:05 yasuoka Exp $ */ /*- * Copyright (c) 2009 Internet Initiative Japan Inc. @@ -1076,6 +1076,7 @@ pipex_ppp_input(struct mbuf *m0, struct pipex_session *session, int decrypted) struct m_tag *mtag; struct pipex_tag *tag; + KASSERT(m0->m_pkthdr.len >= PIPEX_PPPMINLEN); proto = pipex_ppp_proto(m0, session, 0, &hlen); #ifdef PIPEX_MPPE if (proto == PPP_COMP) { @@ -1333,7 +1334,8 @@ pipex_common_input(struct pipex_session *session, struct mbuf *m0, int hlen, int proto, ppphlen; u_char code; - if (m0->m_pkthdr.len < hlen + PIPEX_PPPMINLEN) + if ((m0->m_pkthdr.len < hlen + PIPEX_PPPMINLEN) || + (plen < PIPEX_PPPMINLEN)) goto drop; proto = pipex_ppp_proto(m0, session, hlen, &ppphlen); @@ -1397,6 +1399,7 @@ pipex_ppp_proto(struct mbuf *m0, struct pipex_session *session, int off, int proto; u_char *cp, pktbuf[4]; + KASSERT(m0->m_pkthdr.len > sizeof(pktbuf)); m_copydata(m0, off, sizeof(pktbuf), pktbuf); cp = pktbuf; @@ -1660,6 +1663,13 @@ pipex_pptp_lookup_session(struct mbuf *m0) goto not_ours; } + /* flag check */ + if ((flags & PIPEX_GRE_UNUSEDFLAGS) != 0) { + PIPEX_DBG((NULL, LOG_DEBUG, + "<%s> gre header has unused flags at pptp.", __func__)); + goto not_ours; + } + /* lookup pipex session table */ id = ntohs(gre.call_id); session = pipex_lookup_by_session_id(PIPEX_PROTO_PPTP, id); @@ -2614,6 +2624,8 @@ pipex_mppe_input(struct mbuf *m0, struct pipex_session *session) mppe->coher_cnt++; mppe->coher_cnt &= PIPEX_COHERENCY_CNT_MASK; } + if (m0->m_pkthdr.len < PIPEX_PPPMINLEN) + goto drop; pipex_ppp_input(m0, session, 1); diff --git a/sys/net/pipex_local.h b/sys/net/pipex_local.h index 8daa8924f85..7e3287d285d 100644 --- a/sys/net/pipex_local.h +++ b/sys/net/pipex_local.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pipex_local.h,v 1.20 2014/10/21 10:52:53 yasuoka Exp $ */ +/* $OpenBSD: pipex_local.h,v 1.21 2014/12/01 06:55:05 yasuoka Exp $ */ /* * Copyright (c) 2009 Internet Initiative Japan Inc. @@ -217,7 +217,8 @@ struct pipex_gre_header { #define PIPEX_GRE_SFLAG 0x1000 /* seq present */ #define PIPEX_GRE_AFLAG 0x0080 /* ack present */ #define PIPEX_GRE_VER 0x0001 /* gre version code */ -#define PIPEX_GRE_VERMASK 0x0003 /* gre version mask */ +#define PIPEX_GRE_VERMASK 0x0007 /* gre version mask */ +#define PIPEX_GRE_UNUSEDFLAGS 0xcf78 /* unused at pptp. set 0 in rfc2637 */ uint16_t type; #define PIPEX_GRE_PROTO_PPP 0x880b /* gre/ppp */ |