fix for potential denial of service.

http://www.securityfocus.com/archive/1/379450/2004-10-24/2004-10-30/0

looks ok millert@ and henning@; "commit it" deraadt@

1 files changed, 13 insertions, 10 deletions

diff --git a/usr.sbin/pppd/cbcp.c b/usr.sbin/pppd/cbcp.c
index 37ed487d826..e89214f23b5 100644
--- a/usr.sbin/pppd/cbcp.c
+++ b/usr.sbin/pppd/cbcp.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: cbcp.c,v 1.5 2002/09/13 18:19:45 deraadt Exp $	*/
+/*	$OpenBSD: cbcp.c,v 1.6 2004/11/03 03:33:11 danh Exp $	*/
 
 /*
  * cbcp - Call Back Configuration Protocol.
@@ -34,7 +34,7 @@
 #if 0
 static char rcsid[] = "Id: cbcp.c,v 1.2 1997/04/30 05:50:26 paulus Exp";
 #else
-static char rcsid[] = "$OpenBSD: cbcp.c,v 1.5 2002/09/13 18:19:45 deraadt Exp $";
+static char rcsid[] = "$OpenBSD: cbcp.c,v 1.6 2004/11/03 03:33:11 danh Exp $";
 #endif
 #endif
 
@@ -147,13 +147,10 @@ cbcp_input(unit, inpacket, pktlen)
     GETCHAR(id, inp);
     GETSHORT(len, inp);
 
-#if 0
-    if (len > pktlen) {
+    if (len < CBCP_MINLEN || len > pktlen) {
         syslog(LOG_ERR, "CBCP packet: invalid length");
         return;
     }
-#endif
-
     len -= CBCP_MINLEN;
  
     switch(code) {
@@ -286,12 +283,16 @@ cbcp_recvreq(us, pckt, pcktlen)
 
     address[0] = 0;
 
-    while (len) {
+    while (len > 1) {
         syslog(LOG_DEBUG, "length: %d", len);
 
 	GETCHAR(type, pckt);
 	GETCHAR(opt_len, pckt);
 
+	if (len < opt_len)
+	    break;
+	len -= opt_len;
+
 	if (opt_len > 2)
 	    GETCHAR(delay, pckt);
 
@@ -320,7 +321,6 @@ cbcp_recvreq(us, pckt, pcktlen)
 	case CB_CONF_LIST:
 	    break;
 	}
-	len -= opt_len;
     }
 
     cbcp_resp(us);
@@ -414,10 +414,13 @@ cbcp_recvack(us, pckt, len)
     int opt_len;
     char address[256];
 
-    if (len) {
+    if (len > 1) {
         GETCHAR(type, pckt);
 	GETCHAR(opt_len, pckt);
-     
+
+	if (opt_len > len)
+	    return;
+
 	if (opt_len > 2)
 	    GETCHAR(delay, pckt);