ipfilter: Fix ip_pptp_pxy (PPTP proxy) length underflow

A PPTP client sending a specially crafted PPTP message with a length
smaller than the already processed fixed header can panic the system.
This resultes in a negative remaining length (a large unsigned 16-bit
number).

Reported by:	Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li,
		and Ke Xu from Tsinghua University using GLM-5.1 from
		Z.ai
MFC after:	3 days
Differential Revision:	https://reviews.freebsd.org/D57383
This commit is contained in:
Cy Schubert
2026-05-28 23:17:39 -07:00
parent 035e87247f
commit 37e9d3641b
+6 -2
View File
@@ -318,7 +318,9 @@ ipf_p_pptp_nextmessage(fr_info_t *fin, nat_t *nat, pptp_pxy_t *pptp, int rev)
* it should match 1a2b3c4d. Byte order is ignored,
* deliberately, when printing out the error.
*/
len = MIN(8 - pptps->pptps_bytes, dlen);
if (pptps->pptps_bytes >= 8)
return (-1);
len = MIN((size_t)(8 - pptps->pptps_bytes), dlen);
COPYDATA(fin->fin_m, off, len, pptps->pptps_wptr);
pptps->pptps_bytes += len;
pptps->pptps_wptr += len;
@@ -361,7 +363,9 @@ ipf_p_pptp_nextmessage(fr_info_t *fin, nat_t *nat, pptp_pxy_t *pptp, int rev)
}
}
len = MIN(pptps->pptps_len - pptps->pptps_bytes, dlen);
if (pptps->pptps_len <= pptps->pptps_bytes)
return (-1);
len = MIN((size_t)(pptps->pptps_len - pptps->pptps_bytes), dlen);
COPYDATA(fin->fin_m, off, len, pptps->pptps_wptr);
pptps->pptps_bytes += len;
pptps->pptps_wptr += len;