net-dialup/l2tpd/files/l2tpd-0.69-can-2004-0649.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

--- l2tpd-0.69.orig/control.c
+++ l2tpd-0.69/control.c
@@ -1575,6 +1575,15 @@
     wbuf[pos++] = e;
     for (x = 0; x < buf->len; x++)
     {
+		// we must at least still have 3 bytes left in the worst case scenario:
+        // 1 for a possible escape, 1 for the value and 1 to end the PPP stream.
+        if(pos >= (sizeof(wbuf) - 4)) {
+            if(DEBUG)
+                log(LOG_CRIT, "%s: rx packet is too big after PPP encoding (size %u, max is %u)\n",
+                                __FUNCTION__, buf->len, MAX_RECV_SIZE);
+            return -EINVAL;
+        }   
+
         e = *((char *) buf->start + x);
         if ((e < 0x20) || (e == PPP_ESCAPE) || (e == PPP_FLAG))
         {