Pipex did panic when the 0 length mppe is given by ioctl. Return

EINVAL instead of panic.  Also npppd called ioctl with the invalid
argument because of the bugs introduced by the config parser change
commit.  Fixed those bugs and make sure not to use 0 length keys for
MPPE.

reported by csszep at gmail and giovanni
ok giovanni

1 files changed, 13 insertions, 3 deletions

diff --git a/sys/net/pipex.c b/sys/net/pipex.c
index 3b700984e81..f3b1e22fe1d 100644
--- a/sys/net/pipex.c
+++ b/sys/net/pipex.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pipex.c,v 1.37 2012/12/14 01:19:26 dlg Exp $	*/
+/*	$OpenBSD: pipex.c,v 1.38 2013/02/13 22:10:38 yasuoka Exp $	*/
 
 /*-
  * Copyright (c) 2009 Internet Initiative Japan Inc.
@@ -396,14 +396,24 @@ pipex_add_session(struct pipex_session_req *req,
 	}
 #endif
 #ifdef PIPEX_MPPE
-    	if ((req->pr_ppp_flags & PIPEX_PPP_MPPE_ACCEPTED) != 0)
+    	if ((req->pr_ppp_flags & PIPEX_PPP_MPPE_ACCEPTED) != 0) {
+		if (req->pr_mppe_recv.keylenbits <= 0) {
+			free(session, M_TEMP);
+			return (EINVAL);
+		}
 		pipex_session_init_mppe_recv(session,
 		    req->pr_mppe_recv.stateless, req->pr_mppe_recv.keylenbits,
 		    req->pr_mppe_recv.master_key);
-    	if ((req->pr_ppp_flags & PIPEX_PPP_MPPE_ENABLED) != 0)
+	}
+    	if ((req->pr_ppp_flags & PIPEX_PPP_MPPE_ENABLED) != 0) {
+		if (req->pr_mppe_send.keylenbits <= 0) {
+			free(session, M_TEMP);
+			return (EINVAL);
+		}
 		pipex_session_init_mppe_send(session,
 		    req->pr_mppe_send.stateless, req->pr_mppe_send.keylenbits,
 		    req->pr_mppe_send.master_key);
+	}
 
 	if (pipex_session_is_mppe_required(session)) {
 		if (!pipex_session_is_mppe_enabled(session) ||