author: Colin Percival <cperciva@FreeBSD.org> 2006-08-23 22:06:40 +0000
committer: Colin Percival <cperciva@FreeBSD.org> 2006-08-23 22:06:40 +0000
commit: 86fcd2acb8b81dcfce7e0876c0c7e603e1e50886 (patch)
tree: 04c94d5298687cd4287302f0e572b534edbf751c
parent: 6c2f24c880a628276b5956bb4d118e98799c4904 (diff)
3 files changed, 28 insertions, 13 deletions
diff --git a/UPDATING b/UPDATING
index 848ab2695da0..6d0caa9cf426 100644
--- a/UPDATING
+++ b/UPDATING
@@ -8,6 +8,9 @@ Items affecting the ports and packages system can be found in
 /usr/ports/UPDATING.  Please read that file before running
 portupgrade.  Important recent entries: 20040724 (default X changes).
 
+20060823:	p32	FreeBSD-SA-06:18.ppp
+	Correct buffer overflow in the handling of LCP options in ppp(4).
+
 20060614:	p31	FreeBSD-SA-06:17.sendmail
 	Correct a bug in the handling of multipart messages by sendmail(8)
 	which can allow a malformed message to crash a sendmail queue
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index e60b71266011..5c4655fa44c1 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="5.3"
-BRANCH="RELEASE-p31"
+BRANCH="RELEASE-p32"
 RELEASE="${REVISION}-${BRANCH}"
 VERSION="${TYPE} ${RELEASE}"
 
diff --git a/sys/net/if_spppsubr.c b/sys/net/if_spppsubr.c
index 71019750bfd9..32beb2860f65 100644
--- a/sys/net/if_spppsubr.c
+++ b/sys/net/if_spppsubr.c
@@ -2204,7 +2204,8 @@ sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len)
 
 	/* pass 1: check for things that need to be rejected */
 	p = (void*) (h+1);
-	for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) {
+	for (rlen=0; len >= 2 && p[1] >= 2 && len >= p[1];
+	    len-=p[1], p+=p[1]) {
 		if (debug)
 			log(-1, " %s ", sppp_lcp_opt_name(*p));
 		switch (*p) {
@@ -2283,7 +2284,8 @@ sppp_lcp_RCR(struct sppp *sp, struct lcp_header *h, int len)
 
 	p = (void*) (h+1);
 	len = origlen;
-	for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) {
+	for (rlen=0; len >= 2 && p[1] >= 2 && len >= p[1];
+	    len-=p[1], p+=p[1]) {
 		if (debug)
 			log(-1, " %s ", sppp_lcp_opt_name(*p));
 		switch (*p) {
@@ -2425,7 +2427,8 @@ sppp_lcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len)
 		    SPP_ARGS(ifp));
 
 	p = (void*) (h+1);
-	for (; len > 1 && p[1]; len -= p[1], p += p[1]) {
+	for (; len >= 2 && p[1] >= 2 && len >= p[1];
+	    len -= p[1], p += p[1]) {
 		if (debug)
 			log(-1, " %s ", sppp_lcp_opt_name(*p));
 		switch (*p) {
@@ -2489,7 +2492,8 @@ sppp_lcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len)
 		    SPP_ARGS(ifp));
 
 	p = (void*) (h+1);
-	for (; len > 1 && p[1]; len -= p[1], p += p[1]) {
+	for (; len >= 2 && p[1] >= 2 && len >= p[1];
+	    len -= p[1], p += p[1]) {
 		if (debug)
 			log(-1, " %s ", sppp_lcp_opt_name(*p));
 		switch (*p) {
@@ -2881,7 +2885,8 @@ sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len)
 		log(LOG_DEBUG, SPP_FMT "ipcp parse opts: ",
 		    SPP_ARGS(ifp));
 	p = (void*) (h+1);
-	for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) {
+	for (rlen=0; len >= 2 && p[1] >= 2 && len >= p[1];
+	    len-=p[1], p+=p[1]) {
 		if (debug)
 			log(-1, " %s ", sppp_ipcp_opt_name(*p));
 		switch (*p) {
@@ -2950,7 +2955,8 @@ sppp_ipcp_RCR(struct sppp *sp, struct lcp_header *h, int len)
 		       SPP_ARGS(ifp));
 	p = (void*) (h+1);
 	len = origlen;
-	for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) {
+	for (rlen=0; len >= 2 && p[1] >= 2 && len >= p[1];
+	    len-=p[1], p+=p[1]) {
 		if (debug)
 			log(-1, " %s ", sppp_ipcp_opt_name(*p));
 		switch (*p) {
@@ -3081,7 +3087,8 @@ sppp_ipcp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len)
 		    SPP_ARGS(ifp));
 
 	p = (void*) (h+1);
-	for (; len > 1 && p[1]; len -= p[1], p += p[1]) {
+	for (; len >= 2 && p[1] >= 2 && len >= p[1];
+	    len -= p[1], p += p[1]) {
 		if (debug)
 			log(-1, " %s ", sppp_ipcp_opt_name(*p));
 		switch (*p) {
@@ -3127,7 +3134,8 @@ sppp_ipcp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len)
 		    SPP_ARGS(ifp));
 
 	p = (void*) (h+1);
-	for (; len > 1 && p[1]; len -= p[1], p += p[1]) {
+	for (; len >= 2 && p[1] >= 2 && len >= p[1];
+	    len -= p[1], p += p[1]) {
 		if (debug)
 			log(-1, " %s ", sppp_ipcp_opt_name(*p));
 		switch (*p) {
@@ -3357,7 +3365,8 @@ sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len)
 		    SPP_ARGS(ifp));
 	p = (void*) (h+1);
 	ifidcount = 0;
-	for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) {
+	for (rlen=0; len >= 2 && p[1] >= 2 && len >= p[1];
+	    len-=p[1], p+=p[1]) {
 		if (debug)
 			log(-1, " %s", sppp_ipv6cp_opt_name(*p));
 		switch (*p) {
@@ -3407,7 +3416,8 @@ sppp_ipv6cp_RCR(struct sppp *sp, struct lcp_header *h, int len)
 	p = (void*) (h+1);
 	len = origlen;
 	type = CONF_ACK;
-	for (rlen=0; len>1 && p[1]; len-=p[1], p+=p[1]) {
+	for (rlen=0; len >= 2 && p[1] >= 2 && len >= p[1];
+	    len-=p[1], p+=p[1]) {
 		if (debug)
 			log(-1, " %s", sppp_ipv6cp_opt_name(*p));
 		switch (*p) {
@@ -3506,7 +3516,8 @@ sppp_ipv6cp_RCN_rej(struct sppp *sp, struct lcp_header *h, int len)
 		    SPP_ARGS(ifp));
 
 	p = (void*) (h+1);
-	for (; len > 1 && p[1]; len -= p[1], p += p[1]) {
+	for (; len >= 2 && p[1] >= 2 && len >= p[1];
+	    len -= p[1], p += p[1]) {
 		if (debug)
 			log(-1, " %s", sppp_ipv6cp_opt_name(*p));
 		switch (*p) {
@@ -3552,7 +3563,8 @@ sppp_ipv6cp_RCN_nak(struct sppp *sp, struct lcp_header *h, int len)
 		    SPP_ARGS(ifp));
 
 	p = (void*) (h+1);
-	for (; len > 1 && p[1]; len -= p[1], p += p[1]) {
+	for (; len >= 2 && p[1] >= 2 && len >= p[1];
+	    len -= p[1], p += p[1]) {
 		if (debug)
 			log(-1, " %s", sppp_ipv6cp_opt_name(*p));
 		switch (*p) {
author	Colin Percival <cperciva@FreeBSD.org>	2006-08-23 22:06:40 +0000
committer	Colin Percival <cperciva@FreeBSD.org>	2006-08-23 22:06:40 +0000
commit	86fcd2acb8b81dcfce7e0876c0c7e603e1e50886 (patch)
tree	04c94d5298687cd4287302f0e572b534edbf751c
parent	6c2f24c880a628276b5956bb4d118e98799c4904 (diff)