From 4d8fde8cff0796f32e659036543aa17d16a15b1b Mon Sep 17 00:00:00 2001 From: John Baldwin Date: Wed, 10 Jun 2026 09:44:10 -0400 Subject: [PATCH] ppp: Reject FSM messages whose length is smaller than the message header PR: 271843 Reported by: Robert Morris Reviewed by: des, emaste Differential Revision: https://reviews.freebsd.org/D57139 --- usr.sbin/ppp/fsm.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/usr.sbin/ppp/fsm.c b/usr.sbin/ppp/fsm.c index 5c011bef7f4..060a9149a6a 100644 --- a/usr.sbin/ppp/fsm.c +++ b/usr.sbin/ppp/fsm.c @@ -1060,6 +1060,12 @@ fsm_Input(struct fsm *fp, struct mbuf *bp) m_freem(bp); return; } + if (ntohs(lh.length) < sizeof(lh)) { + log_Printf(LogWARN, "%s: Header length %d is too small - dropped\n", + fp->link->name, (int)ntohs(lh.length)); + m_freem(bp); + return; + } if (lh.code < fp->min_code || lh.code > fp->max_code || lh.code > sizeof FsmCodes / sizeof *FsmCodes) {