ipfilter: Fix ip_pptp_pxy (PPTP proxy) length underflow
A PPTP client sending a specially crafted PPTP message with a length smaller than the already processed fixed header can panic the system. This resultes in a negative remaining length (a large unsigned 16-bit number). Reported by: Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM-5.1 from Z.ai MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D57383
This commit is contained in:
@@ -318,7 +318,9 @@ ipf_p_pptp_nextmessage(fr_info_t *fin, nat_t *nat, pptp_pxy_t *pptp, int rev)
|
||||
* it should match 1a2b3c4d. Byte order is ignored,
|
||||
* deliberately, when printing out the error.
|
||||
*/
|
||||
len = MIN(8 - pptps->pptps_bytes, dlen);
|
||||
if (pptps->pptps_bytes >= 8)
|
||||
return (-1);
|
||||
len = MIN((size_t)(8 - pptps->pptps_bytes), dlen);
|
||||
COPYDATA(fin->fin_m, off, len, pptps->pptps_wptr);
|
||||
pptps->pptps_bytes += len;
|
||||
pptps->pptps_wptr += len;
|
||||
@@ -361,7 +363,9 @@ ipf_p_pptp_nextmessage(fr_info_t *fin, nat_t *nat, pptp_pxy_t *pptp, int rev)
|
||||
}
|
||||
}
|
||||
|
||||
len = MIN(pptps->pptps_len - pptps->pptps_bytes, dlen);
|
||||
if (pptps->pptps_len <= pptps->pptps_bytes)
|
||||
return (-1);
|
||||
len = MIN((size_t)(pptps->pptps_len - pptps->pptps_bytes), dlen);
|
||||
COPYDATA(fin->fin_m, off, len, pptps->pptps_wptr);
|
||||
pptps->pptps_bytes += len;
|
||||
pptps->pptps_wptr += len;
|
||||
|
||||
Reference in New Issue
Block a user