diff options
author | Paul Mackerras <paulus@ozlabs.org> | 2019-12-30 10:22:40 +1100 |
---|---|---|
committer | Paul Mackerras <paulus@ozlabs.org> | 2019-12-30 10:22:40 +1100 |
commit | ca5e61b3db021dcfd48e36374a80cf2a3b997bb9 (patch) | |
tree | 4c4588ad808116cc15d03cd282648e1d7c733990 | |
parent | c10c3c7cb3e779af5286430d5c9bb835a873ab32 (diff) | |
download | ppp-ca5e61b3db021dcfd48e36374a80cf2a3b997bb9.tar.gz |
plugins/rp-pppoe: Make tag parsing loop condition more accurate
The loop in parsePacket() that parses the tags in a received PPPoE
packet uses a loop condition that checks if there is at least one
more byte to be read; however, the tag header is 4 bytes. Thus it
could read 3 bytes past the end of the received data. However,
there is no possibility of reading past the end of the
packet->payload array, since we previously checked that
len <= ETH_JUMBO_LEN (which is sizeof(packet->payload)) - 6.
Also, the tag length check will always fail (except for a tag
type of TAG_END_OF_LIST, which terminates processing).
This fixes the loop condition to require at least 4 bytes
remaining, so that we know that the tag header is within the
received data.
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
-rw-r--r-- | pppd/plugins/rp-pppoe/common.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/pppd/plugins/rp-pppoe/common.c b/pppd/plugins/rp-pppoe/common.c index 8f175ec..9ea7fd6 100644 --- a/pppd/plugins/rp-pppoe/common.c +++ b/pppd/plugins/rp-pppoe/common.c @@ -65,7 +65,7 @@ parsePacket(PPPoEPacket *packet, ParseFunc *func, void *extra) /* Step through the tags */ curTag = packet->payload; - while(curTag - packet->payload < len) { + while (curTag - packet->payload + TAG_HDR_SIZE <= len) { /* Alignment is not guaranteed, so do this by hand... */ tagType = (curTag[0] << 8) + curTag[1]; tagLen = (curTag[2] << 8) + curTag[3]; |