Apply by doing: cd /usr/src patch -p0 < 009_sppp.patch And then rebuild your kernel. Index: sys/net/if_spppsubr.c =================================================================== RCS file: /cvs/src/sys/net/if_spppsubr.c,v retrieving revision 1.38 retrieving revision 1.38.2.1 diff -u -p -r1.38 -r1.38.2.1 --- sys/net/if_spppsubr.c 24 Feb 2006 20:34:34 -0000 1.38 +++ sys/net/if_spppsubr.c 2 Sep 2006 18:09:01 -0000 1.38.2.1 @@ -1317,6 +1317,9 @@ sppp_cp_input(const struct cp *cp, struc return; } rv = (cp->RCR)(sp, h, len); + /* silently drop illegal packets */ + if (rv == -1) + return; switch (sp->state[cp->protoidx]) { case STATE_OPENED: sppp_cp_change_state(cp, sp, rv? @@ -2045,7 +2048,11 @@ sppp_lcp_RCR(struct sppp *sp, struct lcp /* pass 1: check for things that need to be rejected */ p = (void*) (h+1); - for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { + for (rlen = 0; len > 1; len -= p[1], p += p[1]) { + if (p[1] < 2 || p[1] > len) { + free(buf, M_TEMP); + return (-1); + } if (debug) addlog("%s ", sppp_lcp_opt_name(*p)); switch (*p) { @@ -2232,19 +2239,18 @@ HIDE void sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) { STDDCL; - u_char *buf, *p; + u_char *p; len -= 4; - buf = malloc (len, M_TEMP, M_NOWAIT); - if (!buf) - return; if (debug) log(LOG_DEBUG, SPP_FMT "lcp rej opts: ", SPP_ARGS(ifp)); p = (void*) (h+1); - for (; len > 1 && p[1]; len -= p[1], p += p[1]) { + for (; len > 1; len -= p[1], p += p[1]) { + if (p[1] < 2 || p[1] > len) + return; if (debug) addlog("%s ", sppp_lcp_opt_name(*p)); switch (*p) { @@ -2283,8 +2289,6 @@ sppp_lcp_RCN_rej(struct sppp *sp, struct } if (debug) addlog("\n"); - free (buf, M_TEMP); - return; } /* @@ -2295,20 +2299,19 @@ HIDE void sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) { STDDCL; - u_char *buf, *p; + u_char *p; u_long magic; len -= 4; - buf = malloc (len, M_TEMP, M_NOWAIT); - if (!buf) - return; if (debug) log(LOG_DEBUG, SPP_FMT "lcp nak opts: ", SPP_ARGS(ifp)); p = (void*) (h+1); - for (; len > 1 && p[1]; len -= p[1], p += p[1]) { + for (; len > 1; len -= p[1], p += p[1]) { + if (p[1] < 2 || p[1] > len) + return; if (debug) addlog("%s ", sppp_lcp_opt_name(*p)); switch (*p) { @@ -2363,8 +2366,6 @@ sppp_lcp_RCN_nak(struct sppp *sp, struct } if (debug) addlog("\n"); - free (buf, M_TEMP); - return; } HIDE void @@ -2656,7 +2657,11 @@ sppp_ipcp_RCR(struct sppp *sp, struct lc log(LOG_DEBUG, SPP_FMT "ipcp parse opts: ", SPP_ARGS(ifp)); p = (void*) (h+1); - for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) { + for (rlen = 0; len > 1; len -= p[1], p += p[1]) { + if (p[1] < 2 || p[1] > len) { + free(buf, M_TEMP); + return (-1); + } if (debug) addlog("%s ", sppp_ipcp_opt_name(*p)); switch (*p) { @@ -2803,21 +2808,20 @@ sppp_ipcp_RCR(struct sppp *sp, struct lc HIDE void sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len) { - u_char *buf, *p; + u_char *p; struct ifnet *ifp = &sp->pp_if; int debug = ifp->if_flags & IFF_DEBUG; len -= 4; - buf = malloc (len, M_TEMP, M_NOWAIT); - if (!buf) - return; if (debug) log(LOG_DEBUG, SPP_FMT "ipcp rej opts: ", SPP_ARGS(ifp)); p = (void*) (h+1); - for (; len > 1 && p[1]; len -= p[1], p += p[1]) { + for (; len > 1; len -= p[1], p += p[1]) { + if (p[1] < 2 || p[1] > len) + return; if (debug) addlog("%s ", sppp_ipcp_opt_name(*p)); switch (*p) { @@ -2837,8 +2841,6 @@ sppp_ipcp_RCN_rej(struct sppp *sp, struc } if (debug) addlog("\n"); - free (buf, M_TEMP); - return; } /* @@ -2848,22 +2850,21 @@ sppp_ipcp_RCN_rej(struct sppp *sp, struc HIDE void sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len) { - u_char *buf, *p; + u_char *p; struct ifnet *ifp = &sp->pp_if; int debug = ifp->if_flags & IFF_DEBUG; u_long wantaddr; len -= 4; - buf = malloc (len, M_TEMP, M_NOWAIT); - if (!buf) - return; if (debug) log(LOG_DEBUG, SPP_FMT "ipcp nak opts: ", SPP_ARGS(ifp)); p = (void*) (h+1); - for (; len > 1 && p[1]; len -= p[1], p += p[1]) { + for (; len > 1; len -= p[1], p += p[1]) { + if (p[1] < 2 || p[1] > len) + return; if (debug) addlog("%s ", sppp_ipcp_opt_name(*p)); switch (*p) { @@ -2904,8 +2905,6 @@ sppp_ipcp_RCN_nak(struct sppp *sp, struc } if (debug) addlog("\n"); - free (buf, M_TEMP); - return; } HIDE void