ipfilter: Fix ip_pptp_pxy (PPTP proxy) length underflow
Needs ReviewPublic
Actions

Authored by cy on Mon, Jun 1, 2:18 PM.

Details

Reviewers

emaste
markj
glebius

Summary

A PPTP client sending a specially crafted PPTP message with a length
smaller than the already processed fixed header can panic the system.
This resultes in a negative remaining length (a large unsigned 16-bit
number).

Reported by: Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li,

		and Ke Xu from Tsinghua University using GLM-5.1 from
		Z.ai

MFC after: 3 days

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Build Status

Buildable 73604
Build 70487: arc lint + arc unit

Event Timeline

cy created this revision.Mon, Jun 1, 2:18 PM

Herald added subscribers: vegeta_tuxpowered.net, melifaro, imp. · View Herald TranscriptMon, Jun 1, 2:18 PM

cy requested review of this revision.Mon, Jun 1, 2:18 PM

Harbormaster completed remote builds in B73604: Diff 179059.Mon, Jun 1, 2:18 PM

Revision Contents
Changeset List

Path

Size

sys/

netpfil/

ipfilter/

netinet/

ip_pptp_pxy.c

8 lines

Diff 179059

View Options

sys/netpfil/ipfilter/netinet/ip_pptp_pxy.c

ipfilter: Fix ip_pptp_pxy (PPTP proxy) length underflowNeeds ReviewPublicActions