Check if the avp->length is not broken. Also make sure that

avp_enum() checks if avp->length is valid.

ok mvp

1 files changed, 5 insertions, 6 deletions

diff --git a/usr.sbin/npppd/l2tp/l2tp_subr.c b/usr.sbin/npppd/l2tp/l2tp_subr.c
index da1a0fe8c82..a312d7bc5b0 100644
--- a/usr.sbin/npppd/l2tp/l2tp_subr.c
+++ b/usr.sbin/npppd/l2tp/l2tp_subr.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: l2tp_subr.c,v 1.4 2012/05/08 13:15:11 yasuoka Exp $	*/
+/*	$OpenBSD: l2tp_subr.c,v 1.5 2023/09/11 07:33:07 yasuoka Exp $	*/
 
 /*-
  * Copyright (c) 2009 Internet Initiative Japan Inc.
@@ -25,7 +25,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */
-/* $Id: l2tp_subr.c,v 1.4 2012/05/08 13:15:11 yasuoka Exp $ */
+/* $Id: l2tp_subr.c,v 1.5 2023/09/11 07:33:07 yasuoka Exp $ */
 /**@file L2TP related sub-routines */
 #include <sys/types.h>
 #include <sys/time.h>
@@ -80,10 +80,10 @@ avp_enum(struct l2tp_avp *avp, const u_char *pkt, int pktlen, int filldata)
 	avp->attr_type |= *(pkt + 1);
 	pkt += 2;
 
-	if (avp->length > pktlen)
+	if (avp->length < 6 || avp->length > pktlen)
 		return -1;
 
-	if (filldata != 0)
+	if (avp->length > 6 && filldata != 0)
 		memcpy(avp->attr_value, pkt, avp->length - 6);
 
 	return avp->length;
@@ -285,9 +285,8 @@ avp_find(struct l2tp_avp *avp, const u_char *pkt, int pktlen,
 
 	while (pktlen >= 6 &&
 	    (avpsz = avp_enum(avp, pkt, pktlen, fill_data)) > 0) {
+		L2TP_SUBR_ASSERT(avpsz >= 6);
 		if (avp->vendor_id != vendor_id || avp->attr_type != attr_type) {
-			if (avpsz < 6)
-				return NULL;
 			pkt += avpsz;
 			pktlen -= avpsz;
 			continue;