plugins/rp-pppoe: Make tag parsing loop condition more accurate
authorPaul Mackerras <paulus@ozlabs.org>
Sun, 29 Dec 2019 23:22:40 +0000 (10:22 +1100)
committerPaul Mackerras <paulus@ozlabs.org>
Sun, 29 Dec 2019 23:22:40 +0000 (10:22 +1100)
commitca5e61b3db021dcfd48e36374a80cf2a3b997bb9
tree4c4588ad808116cc15d03cd282648e1d7c733990
parentc10c3c7cb3e779af5286430d5c9bb835a873ab32
plugins/rp-pppoe: Make tag parsing loop condition more accurate

The loop in parsePacket() that parses the tags in a received PPPoE
packet uses a loop condition that checks if there is at least one
more byte to be read; however, the tag header is 4 bytes.  Thus it
could read 3 bytes past the end of the received data.  However,
there is no possibility of reading past the end of the
packet->payload array, since we previously checked that
len <= ETH_JUMBO_LEN (which is sizeof(packet->payload)) - 6.
Also, the tag length check will always fail (except for a tag
type of TAG_END_OF_LIST, which terminates processing).

This fixes the loop condition to require at least 4 bytes
remaining, so that we know that the tag header is within the
received data.

Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
pppd/plugins/rp-pppoe/common.c