Page MenuHomeFreeBSD

ipfilter: Fix ip_pptp_pxy (PPTP proxy) length underflow
ClosedPublic

Authored by cy on Jun 1 2026, 2:18 PM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Jul 2, 11:35 AM
Unknown Object (File)
Sat, Jun 20, 4:54 PM
Unknown Object (File)
Sat, Jun 20, 1:20 AM
Unknown Object (File)
Fri, Jun 19, 7:17 PM
Unknown Object (File)
Tue, Jun 16, 6:43 AM
Unknown Object (File)
Tue, Jun 16, 4:26 AM
Unknown Object (File)
Mon, Jun 15, 4:05 AM
Unknown Object (File)
Tue, Jun 9, 7:45 PM

Details

Summary

A PPTP client sending a specially crafted PPTP message with a length
smaller than the already processed fixed header can panic the system.
This resultes in a negative remaining length (a large unsigned 16-bit
number).

Reported by: Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li,

		and Ke Xu from Tsinghua University using GLM-5.1 from
		Z.ai

MFC after: 3 days

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable