Apply by doing:
cd /usr/src
patch -p0 < 009_sppp.patch
And then rebuild your kernel.
Index: sys/net/if_spppsubr.c
===================================================================
RCS file: /cvs/src/sys/net/if_spppsubr.c,v
retrieving revision 1.38
retrieving revision 1.38.2.1
diff -u -p -r1.38 -r1.38.2.1
--- sys/net/if_spppsubr.c 24 Feb 2006 20:34:34 -0000 1.38
+++ sys/net/if_spppsubr.c 2 Sep 2006 18:09:01 -0000 1.38.2.1
@@ -1317,6 +1317,9 @@ sppp_cp_input(const struct cp *cp, struc
return;
}
rv = (cp->RCR)(sp, h, len);
+ /* silently drop illegal packets */
+ if (rv == -1)
+ return;
switch (sp->state[cp->protoidx]) {
case STATE_OPENED:
sppp_cp_change_state(cp, sp, rv?
@@ -2045,7 +2048,11 @@ sppp_lcp_RCR(struct sppp *sp, struct lcp
/* pass 1: check for things that need to be rejected */
p = (void*) (h+1);
- for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) {
+ for (rlen = 0; len > 1; len -= p[1], p += p[1]) {
+ if (p[1] < 2 || p[1] > len) {
+ free(buf, M_TEMP);
+ return (-1);
+ }
if (debug)
addlog("%s ", sppp_lcp_opt_name(*p));
switch (*p) {
@@ -2232,19 +2239,18 @@ HIDE void
sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len)
{
STDDCL;
- u_char *buf, *p;
+ u_char *p;
len -= 4;
- buf = malloc (len, M_TEMP, M_NOWAIT);
- if (!buf)
- return;
if (debug)
log(LOG_DEBUG, SPP_FMT "lcp rej opts: ",
SPP_ARGS(ifp));
p = (void*) (h+1);
- for (; len > 1 && p[1]; len -= p[1], p += p[1]) {
+ for (; len > 1; len -= p[1], p += p[1]) {
+ if (p[1] < 2 || p[1] > len)
+ return;
if (debug)
addlog("%s ", sppp_lcp_opt_name(*p));
switch (*p) {
@@ -2283,8 +2289,6 @@ sppp_lcp_RCN_rej(struct sppp *sp, struct
}
if (debug)
addlog("\n");
- free (buf, M_TEMP);
- return;
}
/*
@@ -2295,20 +2299,19 @@ HIDE void
sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len)
{
STDDCL;
- u_char *buf, *p;
+ u_char *p;
u_long magic;
len -= 4;
- buf = malloc (len, M_TEMP, M_NOWAIT);
- if (!buf)
- return;
if (debug)
log(LOG_DEBUG, SPP_FMT "lcp nak opts: ",
SPP_ARGS(ifp));
p = (void*) (h+1);
- for (; len > 1 && p[1]; len -= p[1], p += p[1]) {
+ for (; len > 1; len -= p[1], p += p[1]) {
+ if (p[1] < 2 || p[1] > len)
+ return;
if (debug)
addlog("%s ", sppp_lcp_opt_name(*p));
switch (*p) {
@@ -2363,8 +2366,6 @@ sppp_lcp_RCN_nak(struct sppp *sp, struct
}
if (debug)
addlog("\n");
- free (buf, M_TEMP);
- return;
}
HIDE void
@@ -2656,7 +2657,11 @@ sppp_ipcp_RCR(struct sppp *sp, struct lc
log(LOG_DEBUG, SPP_FMT "ipcp parse opts: ",
SPP_ARGS(ifp));
p = (void*) (h+1);
- for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) {
+ for (rlen = 0; len > 1; len -= p[1], p += p[1]) {
+ if (p[1] < 2 || p[1] > len) {
+ free(buf, M_TEMP);
+ return (-1);
+ }
if (debug)
addlog("%s ", sppp_ipcp_opt_name(*p));
switch (*p) {
@@ -2803,21 +2808,20 @@ sppp_ipcp_RCR(struct sppp *sp, struct lc
HIDE void
sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len)
{
- u_char *buf, *p;
+ u_char *p;
struct ifnet *ifp = &sp->pp_if;
int debug = ifp->if_flags & IFF_DEBUG;
len -= 4;
- buf = malloc (len, M_TEMP, M_NOWAIT);
- if (!buf)
- return;
if (debug)
log(LOG_DEBUG, SPP_FMT "ipcp rej opts: ",
SPP_ARGS(ifp));
p = (void*) (h+1);
- for (; len > 1 && p[1]; len -= p[1], p += p[1]) {
+ for (; len > 1; len -= p[1], p += p[1]) {
+ if (p[1] < 2 || p[1] > len)
+ return;
if (debug)
addlog("%s ", sppp_ipcp_opt_name(*p));
switch (*p) {
@@ -2837,8 +2841,6 @@ sppp_ipcp_RCN_rej(struct sppp *sp, struc
}
if (debug)
addlog("\n");
- free (buf, M_TEMP);
- return;
}
/*
@@ -2848,22 +2850,21 @@ sppp_ipcp_RCN_rej(struct sppp *sp, struc
HIDE void
sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len)
{
- u_char *buf, *p;
+ u_char *p;
struct ifnet *ifp = &sp->pp_if;
int debug = ifp->if_flags & IFF_DEBUG;
u_long wantaddr;
len -= 4;
- buf = malloc (len, M_TEMP, M_NOWAIT);
- if (!buf)
- return;
if (debug)
log(LOG_DEBUG, SPP_FMT "ipcp nak opts: ",
SPP_ARGS(ifp));
p = (void*) (h+1);
- for (; len > 1 && p[1]; len -= p[1], p += p[1]) {
+ for (; len > 1; len -= p[1], p += p[1]) {
+ if (p[1] < 2 || p[1] > len)
+ return;
if (debug)
addlog("%s ", sppp_ipcp_opt_name(*p));
switch (*p) {
@@ -2904,8 +2905,6 @@ sppp_ipcp_RCN_nak(struct sppp *sp, struc
}
if (debug)
addlog("\n");
- free (buf, M_TEMP);
- return;
}
HIDE void