ppp: Reject FSM messages whose length is smaller than the message header

PR:		271843
Reported by:	Robert Morris <rtm@lcs.mit.edu>
Reviewed by:	des, emaste
Differential Revision:	https://reviews.freebsd.org/D57139
This commit is contained in:
John Baldwin
2026-06-10 09:44:10 -04:00
parent 7e971892df
commit 4d8fde8cff
+6
View File
@@ -1060,6 +1060,12 @@ fsm_Input(struct fsm *fp, struct mbuf *bp)
m_freem(bp);
return;
}
if (ntohs(lh.length) < sizeof(lh)) {
log_Printf(LogWARN, "%s: Header length %d is too small - dropped\n",
fp->link->name, (int)ntohs(lh.length));
m_freem(bp);
return;
}
if (lh.code < fp->min_code || lh.code > fp->max_code ||
lh.code > sizeof FsmCodes / sizeof *FsmCodes) {