plugins/rp-pppoe: Make tag parsing loop condition more accurate

The loop in parsePacket() that parses the tags in a received PPPoE
packet uses a loop condition that checks if there is at least one
more byte to be read; however, the tag header is 4 bytes.  Thus it
could read 3 bytes past the end of the received data.  However,
there is no possibility of reading past the end of the
packet->payload array, since we previously checked that
len <= ETH_JUMBO_LEN (which is sizeof(packet->payload)) - 6.
Also, the tag length check will always fail (except for a tag
type of TAG_END_OF_LIST, which terminates processing).

This fixes the loop condition to require at least 4 bytes
remaining, so that we know that the tag header is within the
received data.

Signed-off-by: Paul Mackerras <paulus@ozlabs.org>

diff --git a/pppd/plugins/rp-pppoe/common.c b/pppd/plugins/rp-pppoe/common.c
index 8f175ece345b67bb4d276131aa97f1fce139d31c..9ea7fd609c8774aafbaf2cbe9bb6a6d86679b516 100644 (file)
--- a/pppd/plugins/rp-pppoe/common.c
+++ b/pppd/plugins/rp-pppoe/common.c
@@ -65,7 +65,7 @@ parsePacket(PPPoEPacket *packet, ParseFunc *func, void *extra)
 
     /* Step through the tags */
     curTag = packet->payload;
-    while(curTag - packet->payload < len) {
+    while (curTag - packet->payload + TAG_HDR_SIZE <= len) {
        /* Alignment is not guaranteed, so do this by hand... */
        tagType = (curTag[0] << 8) + curTag[1];
        tagLen = (curTag[2] << 8) + curTag[3];