git: 37e9d3641ba0 - main - ipfilter: Fix ip_pptp_pxy (PPTP proxy) length underflow
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 08 Jun 2026 13:52:37 UTC
The branch main has been updated by cy:
URL: https://cgit.FreeBSD.org/src/commit/?id=37e9d3641ba0e0da0d2bbaa26a59ee56a8cf3ee6
commit 37e9d3641ba0e0da0d2bbaa26a59ee56a8cf3ee6
Author: Cy Schubert <cy@FreeBSD.org>
AuthorDate: 2026-05-29 06:17:39 +0000
Commit: Cy Schubert <cy@FreeBSD.org>
CommitDate: 2026-06-08 13:51:24 +0000
ipfilter: Fix ip_pptp_pxy (PPTP proxy) length underflow
A PPTP client sending a specially crafted PPTP message with a length
smaller than the already processed fixed header can panic the system.
This resultes in a negative remaining length (a large unsigned 16-bit
number).
Reported by: Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li,
and Ke Xu from Tsinghua University using GLM-5.1 from
Z.ai
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D57383
---
sys/netpfil/ipfilter/netinet/ip_pptp_pxy.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/sys/netpfil/ipfilter/netinet/ip_pptp_pxy.c b/sys/netpfil/ipfilter/netinet/ip_pptp_pxy.c
index dc4c67dc14f0..95eaf78bd575 100644
--- a/sys/netpfil/ipfilter/netinet/ip_pptp_pxy.c
+++ b/sys/netpfil/ipfilter/netinet/ip_pptp_pxy.c
@@ -318,7 +318,9 @@ ipf_p_pptp_nextmessage(fr_info_t *fin, nat_t *nat, pptp_pxy_t *pptp, int rev)
* it should match 1a2b3c4d. Byte order is ignored,
* deliberately, when printing out the error.
*/
- len = MIN(8 - pptps->pptps_bytes, dlen);
+ if (pptps->pptps_bytes >= 8)
+ return (-1);
+ len = MIN((size_t)(8 - pptps->pptps_bytes), dlen);
COPYDATA(fin->fin_m, off, len, pptps->pptps_wptr);
pptps->pptps_bytes += len;
pptps->pptps_wptr += len;
@@ -361,7 +363,9 @@ ipf_p_pptp_nextmessage(fr_info_t *fin, nat_t *nat, pptp_pxy_t *pptp, int rev)
}
}
- len = MIN(pptps->pptps_len - pptps->pptps_bytes, dlen);
+ if (pptps->pptps_len <= pptps->pptps_bytes)
+ return (-1);
+ len = MIN((size_t)(pptps->pptps_len - pptps->pptps_bytes), dlen);
COPYDATA(fin->fin_m, off, len, pptps->pptps_wptr);
pptps->pptps_bytes += len;
pptps->pptps_wptr += len;