From 37ee573ec61b02807b0032a295a1d519ee35f49d Mon Sep 17 00:00:00 2001
From: Xin LI <delphij@FreeBSD.org>
Date: Wed, 10 Nov 2004 05:49:52 +0000
Subject: [PATCH] Correct a potential DoS vulnerability, as described at

http://www.securityfocus.com/archive/1/379450

This patch is based on dillon's patch on DragonFlyBSD, which is in
turn derived from OpenBSD's src/usr.sbin/pppd/cbcp.c,v 1.6.

Obtained from:	OpenBSD via DragonFlyBSD
Encouraged by:	nectar
---
 usr.sbin/pppd/cbcp.c | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/usr.sbin/pppd/cbcp.c b/usr.sbin/pppd/cbcp.c
index fb265e6d5954..f72fe9efd7e2 100644
--- a/usr.sbin/pppd/cbcp.c
+++ b/usr.sbin/pppd/cbcp.c
@@ -132,12 +132,10 @@ cbcp_input(unit, inpacket, pktlen)
     GETCHAR(id, inp);
     GETSHORT(len, inp);
 
-#if 0
-    if (len > pktlen) {
+    if (len < CBCP_MINLEN || len > pktlen) {
         syslog(LOG_ERR, "CBCP packet: invalid length");
         return;
     }
-#endif
 
     len -= CBCP_MINLEN;
  
@@ -271,12 +269,16 @@ cbcp_recvreq(us, pckt, pcktlen)
 
     address[0] = 0;
 
-    while (len) {
+    while (len > 1) {
         syslog(LOG_DEBUG, "length: %d", len);
 
 	GETCHAR(type, pckt);
 	GETCHAR(opt_len, pckt);
 
+	if (len < opt_len)
+		break;
+	len -= opt_len;
+
 	if (opt_len > 2)
 	    GETCHAR(delay, pckt);
 
@@ -305,7 +307,6 @@ cbcp_recvreq(us, pckt, pcktlen)
 	case CB_CONF_LIST:
 	    break;
 	}
-	len -= opt_len;
     }
 
     cbcp_resp(us);
@@ -399,10 +400,13 @@ cbcp_recvack(us, pckt, len)
     int opt_len;
     char address[256];
 
-    if (len) {
+    if (len > 1) {
         GETCHAR(type, pckt);
 	GETCHAR(opt_len, pckt);
      
+	if (opt_len > len)
+		return;
+
 	if (opt_len > 2)
 	    GETCHAR(delay, pckt);