From 5bf9cebb543b6a6208fdc88632c6e0d6ec515831 Mon Sep 17 00:00:00 2001 From: Sylvain Rochet Date: Sun, 18 Oct 2020 02:13:08 +0200 Subject: [PATCH] PPP: check that pbuf_coalesce succeed When pbuf_coalesce fails it does nothing and returns the previous buffer chain. Adds checks that pbuf_coalesce succeeded, otherwise drop incoming packet. --- src/netif/ppp/ppp.c | 4 ++++ src/netif/ppp/pppoe.c | 4 ++++ src/netif/ppp/pppol2tp.c | 5 +++++ 3 files changed, 13 insertions(+) diff --git a/src/netif/ppp/ppp.c b/src/netif/ppp/ppp.c index dcefd3a6..4e7667e1 100644 --- a/src/netif/ppp/ppp.c +++ b/src/netif/ppp/ppp.c @@ -930,6 +930,10 @@ void ppp_input(ppp_pcb *pcb, struct pbuf *pb) { for (i = 0; (protp = protocols[i]) != NULL; ++i) { if (protp->protocol == protocol) { pb = pbuf_coalesce(pb, PBUF_RAW); + if (pb->next != NULL) { + PPPDEBUG(LOG_WARNING, ("ppp_input[%d]: Dropping (pbuf_coalesce failed), len=%d\n", pcb->netif->num, pb->tot_len)); + goto drop; + } (*protp->input)(pcb, (u8_t*)pb->payload, pb->len); goto out; } diff --git a/src/netif/ppp/pppoe.c b/src/netif/ppp/pppoe.c index 5098d8dd..ee85af4f 100644 --- a/src/netif/ppp/pppoe.c +++ b/src/netif/ppp/pppoe.c @@ -410,6 +410,10 @@ pppoe_disc_input(struct netif *netif, struct pbuf *pb) } pb = pbuf_coalesce(pb, PBUF_RAW); + if (pb->next != NULL) { + PPPDEBUG(LOG_DEBUG, ("pppoe: pbuf_coalesce failed: %d\n", pb->tot_len)); + goto done; + } ethhdr = (struct eth_hdr *)pb->payload; diff --git a/src/netif/ppp/pppol2tp.c b/src/netif/ppp/pppol2tp.c index 6a35233c..15ea2ae5 100644 --- a/src/netif/ppp/pppol2tp.c +++ b/src/netif/ppp/pppol2tp.c @@ -530,6 +530,11 @@ static void pppol2tp_dispatch_control_packet(pppol2tp_pcb *l2tp, u16_t port, str l2tp->peer_ns = ns+1; p = pbuf_coalesce(p, PBUF_RAW); + if (p->next != NULL) { + PPPDEBUG(LOG_DEBUG, ("pppol2tp: pbuf_coalesce failed: %d\n", p->tot_len)); + return; + } + inp = (u8_t*)p->payload; /* Decode AVPs */ while (p->len > 0) {