diff --git a/src/netif/ppp/chap-new.c b/src/netif/ppp/chap-new.c index d462d856..5d71de0b 100644 --- a/src/netif/ppp/chap-new.c +++ b/src/netif/ppp/chap-new.c @@ -240,9 +240,13 @@ static void chap_timeout(void *arg) { return; } - p = pbuf_alloc(PBUF_RAW, (u16_t)(pcb->chap_server.challenge_pktlen), PBUF_RAM); + p = pbuf_alloc(PBUF_RAW, (u16_t)(pcb->chap_server.challenge_pktlen), PBUF_POOL); if(NULL == p) return; + if(p->tot_len != p->len) { + pbuf_free(p); + return; + } MEMCPY(p->payload, pcb->chap_server.challenge, pcb->chap_server.challenge_pktlen); ppp_write(pcb, p); ++pcb->chap_server.challenge_xmits; @@ -334,9 +338,13 @@ static void chap_handle_response(ppp_pcb *pcb, int id, /* send the response */ mlen = strlen(pcb->chap_server.message); len = CHAP_HDRLEN + mlen; - p = pbuf_alloc(PBUF_RAW, (u16_t)(PPP_HDRLEN +len), PBUF_RAM); + p = pbuf_alloc(PBUF_RAW, (u16_t)(PPP_HDRLEN +len), PBUF_POOL); if(NULL == p) return; + if(p->tot_len != p->len) { + pbuf_free(p); + return; + } outp = p->payload; MAKEHEADER(outp, PPP_CHAP); @@ -427,9 +435,13 @@ static void chap_respond(ppp_pcb *pcb, int id, char rname[MAXNAMELEN+1]; char secret[MAXSECRETLEN+1]; - p = pbuf_alloc(PBUF_RAW, (u16_t)(RESP_MAX_PKTLEN), PBUF_RAM); + p = pbuf_alloc(PBUF_RAW, (u16_t)(RESP_MAX_PKTLEN), PBUF_POOL); if(NULL == p) return; + if(p->tot_len != p->len) { + pbuf_free(p); + return; + } if ((pcb->chap_client.flags & (LOWERUP | AUTH_STARTED)) != (LOWERUP | AUTH_STARTED)) return; /* not ready */ diff --git a/src/netif/ppp/eap.c b/src/netif/ppp/eap.c index 3b32a1e4..235c0cd3 100644 --- a/src/netif/ppp/eap.c +++ b/src/netif/ppp/eap.c @@ -266,9 +266,13 @@ eap_state *esp; struct pbuf *p; u_char *outp; - p = pbuf_alloc(PBUF_RAW, (u16_t)(PPP_HDRLEN + EAP_HEADERLEN), PBUF_RAM); + p = pbuf_alloc(PBUF_RAW, (u16_t)(PPP_HDRLEN + EAP_HEADERLEN), PBUF_POOL); if(NULL == p) return; + if(p->tot_len != p->len) { + pbuf_free(p); + return; + } outp = p->payload; @@ -297,9 +301,13 @@ eap_state *esp; struct pbuf *p; u_char *outp; - p = pbuf_alloc(PBUF_RAW, (u16_t)(PPP_HDRLEN + EAP_HEADERLEN), PBUF_RAM); + p = pbuf_alloc(PBUF_RAW, (u16_t)(PPP_HDRLEN + EAP_HEADERLEN), PBUF_POOL); if(NULL == p) return; + if(p->tot_len != p->len) { + pbuf_free(p); + return; + } outp = p->payload; @@ -696,10 +704,13 @@ eap_state *esp; return; } - /* FIXME: improve buffer size */ - p = pbuf_alloc(PBUF_RAW, (u16_t)(pcb->peer_mru+PPP_HDRLEN), PBUF_RAM); + p = pbuf_alloc(PBUF_RAW, (u16_t)(PBUF_POOL_BUFSIZE), PBUF_POOL); if(NULL == p) return; + if(p->tot_len != p->len) { + pbuf_free(p); + return; + } outp = p->payload; @@ -1059,9 +1070,13 @@ static void eap_send_response(ppp_pcb *pcb, u_char id, u_char typenum, u_char *s int msglen; msglen = EAP_HEADERLEN + sizeof (u_char) + lenstr; - p = pbuf_alloc(PBUF_RAW, (u16_t)(PPP_HDRLEN + msglen), PBUF_RAM); + p = pbuf_alloc(PBUF_RAW, (u16_t)(PPP_HDRLEN + msglen), PBUF_POOL); if(NULL == p) return; + if(p->tot_len != p->len) { + pbuf_free(p); + return; + } outp = p->payload; @@ -1089,9 +1104,13 @@ static void eap_chap_response(ppp_pcb *pcb, u_char id, u_char *hash, char *name, msglen = EAP_HEADERLEN + 2 * sizeof (u_char) + MD5_SIGNATURE_SIZE + namelen; - p = pbuf_alloc(PBUF_RAW, (u16_t)(PPP_HDRLEN + msglen), PBUF_RAM); + p = pbuf_alloc(PBUF_RAW, (u16_t)(PPP_HDRLEN + msglen), PBUF_POOL); if(NULL == p) return; + if(p->tot_len != p->len) { + pbuf_free(p); + return; + } outp = p->payload; @@ -1130,9 +1149,13 @@ int lenstr; int msglen; msglen = EAP_HEADERLEN + 2 * sizeof (u_char) + lenstr; - p = pbuf_alloc(PBUF_RAW, (u16_t)(PPP_HDRLEN + msglen), PBUF_RAM); + p = pbuf_alloc(PBUF_RAW, (u16_t)(PPP_HDRLEN + msglen), PBUF_POOL); if(NULL == p) return; + if(p->tot_len != p->len) { + pbuf_free(p); + return; + } outp = p->payload; @@ -1168,9 +1191,13 @@ u_char *str; msglen = EAP_HEADERLEN + 2 * sizeof (u_char) + sizeof (u32_t) + SHA_DIGESTSIZE; - p = pbuf_alloc(PBUF_RAW, (u16_t)(PPP_HDRLEN + msglen), PBUF_RAM); + p = pbuf_alloc(PBUF_RAW, (u16_t)(PPP_HDRLEN + msglen), PBUF_POOL); if(NULL == p) return; + if(p->tot_len != p->len) { + pbuf_free(p); + return; + } outp = p->payload; @@ -1195,9 +1222,13 @@ static void eap_send_nak(ppp_pcb *pcb, u_char id, u_char type) { int msglen; msglen = EAP_HEADERLEN + 2 * sizeof (u_char); - p = pbuf_alloc(PBUF_RAW, (u16_t)(PPP_HDRLEN + msglen), PBUF_RAM); + p = pbuf_alloc(PBUF_RAW, (u16_t)(PPP_HDRLEN + msglen), PBUF_POOL); if(NULL == p) return; + if(p->tot_len != p->len) { + pbuf_free(p); + return; + } outp = p->payload; diff --git a/src/netif/ppp/fsm.c b/src/netif/ppp/fsm.c index 89638d61..04f2f26d 100644 --- a/src/netif/ppp/fsm.c +++ b/src/netif/ppp/fsm.c @@ -706,10 +706,13 @@ static void fsm_sconfreq(fsm *f, int retransmit) { f->seen_ack = 0; - /* FIXME: improve buffer size */ - p = pbuf_alloc(PBUF_RAW, (u16_t)(pcb->peer_mru+PPP_HDRLEN), PBUF_RAM); + p = pbuf_alloc(PBUF_RAW, (u16_t)(PBUF_POOL_BUFSIZE), PBUF_POOL); if(NULL == p) return; + if(p->tot_len != p->len) { + pbuf_free(p); + return; + } /* * Make up the request packet @@ -756,9 +759,13 @@ void fsm_sdata(fsm *f, u_char code, u_char id, u_char *data, int datalen) { datalen = pcb->peer_mru - HEADERLEN; outlen = datalen + HEADERLEN; - p = pbuf_alloc(PBUF_RAW, (u16_t)(outlen + PPP_HDRLEN), PBUF_RAM); + p = pbuf_alloc(PBUF_RAW, (u16_t)(outlen + PPP_HDRLEN), PBUF_POOL); if(NULL == p) return; + if(p->tot_len != p->len) { + pbuf_free(p); + return; + } outp = p->payload; /* if (datalen && data != outp + PPP_HDRLEN + HEADERLEN) -- was only for fsm_sconfreq() */ diff --git a/src/netif/ppp/lcp.c b/src/netif/ppp/lcp.c index f1445519..cb44e687 100644 --- a/src/netif/ppp/lcp.c +++ b/src/netif/ppp/lcp.c @@ -1779,9 +1779,14 @@ static int lcp_reqci(fsm *f, u_char *inp, int *lenp, int reject_if_disagree) { * Process all his options. */ next = inp; - nakp = pbuf_alloc(PBUF_RAW, (u16_t)(pcb->peer_mru), PBUF_RAM); + nakp = pbuf_alloc(PBUF_RAW, (u16_t)(PBUF_POOL_BUFSIZE), PBUF_POOL); if(NULL == nakp) return 0; + if(nakp->tot_len != nakp->len) { + pbuf_free(nakp); + return 0; + } + nakoutp = nakp->payload; rejp = inp; while (l) { diff --git a/src/netif/ppp/upap.c b/src/netif/ppp/upap.c index 0de5a57d..fd470ac8 100644 --- a/src/netif/ppp/upap.c +++ b/src/netif/ppp/upap.c @@ -530,9 +530,13 @@ static void upap_sauthreq(ppp_pcb *pcb) { outlen = UPAP_HEADERLEN + 2 * sizeof (u_char) + pcb->upap.us_userlen + pcb->upap.us_passwdlen; - p = pbuf_alloc(PBUF_RAW, (u16_t)(PPP_HDRLEN +outlen), PBUF_RAM); + p = pbuf_alloc(PBUF_RAW, (u16_t)(PPP_HDRLEN +outlen), PBUF_POOL); if(NULL == p) return; + if(p->tot_len != p->len) { + pbuf_free(p); + return; + } outp = p->payload; MAKEHEADER(outp, PPP_PAP); @@ -563,9 +567,13 @@ static void upap_sresp(ppp_pcb *pcb, u_char code, u_char id, char *msg, int msgl int outlen; outlen = UPAP_HEADERLEN + sizeof (u_char) + msglen; - p = pbuf_alloc(PBUF_RAW, (u16_t)(PPP_HDRLEN +outlen), PBUF_RAM); + p = pbuf_alloc(PBUF_RAW, (u16_t)(PPP_HDRLEN +outlen), PBUF_POOL); if(NULL == p) return; + if(p->tot_len != p->len) { + pbuf_free(p); + return; + } outp = p->payload; MAKEHEADER(outp, PPP_PAP);