git: 4d8fde8cff07 - main - ppp: Reject FSM messages whose length is smaller than the message header
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 10 Jun 2026 13:52:33 UTC
The branch main has been updated by jhb:
URL: https://cgit.FreeBSD.org/src/commit/?id=4d8fde8cff0796f32e659036543aa17d16a15b1b
commit 4d8fde8cff0796f32e659036543aa17d16a15b1b
Author: John Baldwin <jhb@FreeBSD.org>
AuthorDate: 2026-06-10 13:44:10 +0000
Commit: John Baldwin <jhb@FreeBSD.org>
CommitDate: 2026-06-10 13:44:10 +0000
ppp: Reject FSM messages whose length is smaller than the message header
PR: 271843
Reported by: Robert Morris <rtm@lcs.mit.edu>
Reviewed by: des, emaste
Differential Revision: https://reviews.freebsd.org/D57139
---
usr.sbin/ppp/fsm.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/usr.sbin/ppp/fsm.c b/usr.sbin/ppp/fsm.c
index 5c011bef7f4f..060a9149a6af 100644
--- a/usr.sbin/ppp/fsm.c
+++ b/usr.sbin/ppp/fsm.c
@@ -1060,6 +1060,12 @@ fsm_Input(struct fsm *fp, struct mbuf *bp)
m_freem(bp);
return;
}
+ if (ntohs(lh.length) < sizeof(lh)) {
+ log_Printf(LogWARN, "%s: Header length %d is too small - dropped\n",
+ fp->link->name, (int)ntohs(lh.length));
+ m_freem(bp);
+ return;
+ }
if (lh.code < fp->min_code || lh.code > fp->max_code ||
lh.code > sizeof FsmCodes / sizeof *FsmCodes) {