summaryrefslogtreecommitdiff
path: root/sys
diff options
context:
space:
mode:
authorYASUOKA Masahiko <yasuoka@cvs.openbsd.org>2013-02-13 22:10:39 +0000
committerYASUOKA Masahiko <yasuoka@cvs.openbsd.org>2013-02-13 22:10:39 +0000
commitcaac358034bc354ecb6dcd21300fa7cba355936d (patch)
tree5b3604573c70d2ebe83d39663ea3cd2b1bbbd92e /sys
parent0b7142df1b64033bac3f97c7ec7ff65080970e14 (diff)
Pipex did panic when the 0 length mppe is given by ioctl. Return
EINVAL instead of panic. Also npppd called ioctl with the invalid argument because of the bugs introduced by the config parser change commit. Fixed those bugs and make sure not to use 0 length keys for MPPE. reported by csszep at gmail and giovanni ok giovanni
Diffstat (limited to 'sys')
-rw-r--r--sys/net/pipex.c16
1 files changed, 13 insertions, 3 deletions
diff --git a/sys/net/pipex.c b/sys/net/pipex.c
index 3b700984e81..f3b1e22fe1d 100644
--- a/sys/net/pipex.c
+++ b/sys/net/pipex.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pipex.c,v 1.37 2012/12/14 01:19:26 dlg Exp $ */
+/* $OpenBSD: pipex.c,v 1.38 2013/02/13 22:10:38 yasuoka Exp $ */
/*-
* Copyright (c) 2009 Internet Initiative Japan Inc.
@@ -396,14 +396,24 @@ pipex_add_session(struct pipex_session_req *req,
}
#endif
#ifdef PIPEX_MPPE
- if ((req->pr_ppp_flags & PIPEX_PPP_MPPE_ACCEPTED) != 0)
+ if ((req->pr_ppp_flags & PIPEX_PPP_MPPE_ACCEPTED) != 0) {
+ if (req->pr_mppe_recv.keylenbits <= 0) {
+ free(session, M_TEMP);
+ return (EINVAL);
+ }
pipex_session_init_mppe_recv(session,
req->pr_mppe_recv.stateless, req->pr_mppe_recv.keylenbits,
req->pr_mppe_recv.master_key);
- if ((req->pr_ppp_flags & PIPEX_PPP_MPPE_ENABLED) != 0)
+ }
+ if ((req->pr_ppp_flags & PIPEX_PPP_MPPE_ENABLED) != 0) {
+ if (req->pr_mppe_send.keylenbits <= 0) {
+ free(session, M_TEMP);
+ return (EINVAL);
+ }
pipex_session_init_mppe_send(session,
req->pr_mppe_send.stateless, req->pr_mppe_send.keylenbits,
req->pr_mppe_send.master_key);
+ }
if (pipex_session_is_mppe_required(session)) {
if (!pipex_session_is_mppe_enabled(session) ||