X-Git-Url: http://git.ozlabs.org/?p=ppp.git;a=blobdiff_plain;f=pppd%2Fcbcp.c;h=7f2f7877cbbf4011a007441c3545d4dd2520e8dd;hp=394f9e40869508f302e0e39e126b12975e07b00d;hb=9596fe66415eb97e70cbbafc08c2af387aea062b;hpb=f53a48eb9d74db3c71938e114b7f489c339bc003 diff --git a/pppd/cbcp.c b/pppd/cbcp.c index 394f9e4..7f2f787 100644 --- a/pppd/cbcp.c +++ b/pppd/cbcp.c @@ -33,7 +33,7 @@ * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -#define RCSID "$Id: cbcp.c,v 1.14 2002/12/04 23:03:32 paulus Exp $" +#define RCSID "$Id: cbcp.c,v 1.17 2006/05/22 00:04:07 paulus Exp $" #include #include @@ -165,7 +165,8 @@ cbcp_input(unit, inpacket, pktlen) inp = inpacket; if (pktlen < CBCP_MINLEN) { - error("CBCP packet is too small"); + if (debug) + dbglog("CBCP packet is too small"); return; } @@ -173,12 +174,11 @@ cbcp_input(unit, inpacket, pktlen) GETCHAR(id, inp); GETSHORT(len, inp); -#if 0 - if (len > pktlen) { - error("CBCP packet: invalid length"); + if (len > pktlen || len < CBCP_MINLEN) { + if (debug) + dbglog("CBCP packet: invalid length %d", len); return; } -#endif len -= CBCP_MINLEN; @@ -189,11 +189,12 @@ cbcp_input(unit, inpacket, pktlen) break; case CBCP_RESP: - dbglog("CBCP_RESP received"); + if (debug) + dbglog("CBCP_RESP received"); break; case CBCP_ACK: - if (id != us->us_id) + if (debug && id != us->us_id) dbglog("id doesn't match: expected %d recv %d", us->us_id, id); @@ -312,11 +313,13 @@ cbcp_recvreq(us, pckt, pcktlen) address[0] = 0; - while (len) { + while (len >= 2) { dbglog("length: %d", len); GETCHAR(type, pckt); GETCHAR(opt_len, pckt); + if (opt_len < 2 || opt_len > len) + break; if (opt_len > 2) GETCHAR(delay, pckt); @@ -348,6 +351,11 @@ cbcp_recvreq(us, pckt, pcktlen) } len -= opt_len; } + if (len != 0) { + if (debug) + dbglog("cbcp_recvreq: malformed packet (%d bytes left)", len); + return; + } cbcp_resp(us); } @@ -360,6 +368,7 @@ cbcp_resp(us) u_char buf[256]; u_char *bufp = buf; int len = 0; + int slen; cb_type = us->us_allowed & us->us_type; dbglog("cbcp_resp cb_type=%d", cb_type); @@ -371,12 +380,17 @@ cbcp_resp(us) if (cb_type & ( 1 << CB_CONF_USER ) ) { dbglog("cbcp_resp CONF_USER"); + slen = strlen(us->us_number); + if (slen > 250) { + warn("callback number truncated to 250 characters"); + slen = 250; + } PUTCHAR(CB_CONF_USER, bufp); - len = 3 + 1 + strlen(us->us_number) + 1; + len = 3 + 1 + slen + 1; PUTCHAR(len , bufp); PUTCHAR(5, bufp); /* delay */ PUTCHAR(1, bufp); - BCOPY(us->us_number, bufp, strlen(us->us_number) + 1); + BCOPY(us->us_number, bufp, slen + 1); cbcp_send(us, CBCP_RESP, buf, len); return; } @@ -394,9 +408,8 @@ cbcp_resp(us) if (cb_type & ( 1 << CB_CONF_NO ) ) { dbglog("cbcp_resp CONF_NO"); PUTCHAR(CB_CONF_NO, bufp); - len = 3; + len = 2; PUTCHAR(len , bufp); - PUTCHAR(0, bufp); cbcp_send(us, CBCP_RESP, buf, len); start_networks(us->us_unit); return; @@ -439,25 +452,29 @@ cbcp_recvack(us, pckt, len) int opt_len; char address[256]; - if (len) { + if (len >= 2) { GETCHAR(type, pckt); GETCHAR(opt_len, pckt); + if (opt_len >= 2 && opt_len <= len) { - if (opt_len > 2) - GETCHAR(delay, pckt); + if (opt_len > 2) + GETCHAR(delay, pckt); - if (opt_len > 4) { - GETCHAR(addr_type, pckt); - memcpy(address, pckt, opt_len - 4); - address[opt_len - 4] = 0; - if (address[0]) - dbglog("peer will call: %s", address); - } - if (type == CB_CONF_NO) - return; - } + if (opt_len > 4) { + GETCHAR(addr_type, pckt); + memcpy(address, pckt, opt_len - 4); + address[opt_len - 4] = 0; + if (address[0]) + dbglog("peer will call: %s", address); + } + if (type == CB_CONF_NO) + return; + + cbcp_up(us); - cbcp_up(us); + } else if (debug) + dbglog("cbcp_recvack: malformed packet"); + } } /* ok peer will do callback */ @@ -466,6 +483,6 @@ cbcp_up(us) cbcp_state *us; { persist = 0; - lcp_close(0, "Call me back, please"); status = EXIT_CALLBACK; + lcp_close(0, "Call me back, please"); }