From 5e43e2d33367947cd66034d44834fc894b4c6482 Mon Sep 17 00:00:00 2001 From: Sylvain Rochet Date: Wed, 22 Apr 2015 00:50:08 +0200 Subject: [PATCH] PPP, L2TP, minor fixes Check tot_len for ZLB instead of len, it might happens we are just between 2 pbuf, although almost impossible. Check buffer is at least 2 byte long before checking address & flags header. --- src/netif/ppp/pppol2tp.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/src/netif/ppp/pppol2tp.c b/src/netif/ppp/pppol2tp.c index 09bbc1ac..a02766fd 100644 --- a/src/netif/ppp/pppol2tp.c +++ b/src/netif/ppp/pppol2tp.c @@ -475,9 +475,11 @@ static void pppol2tp_input(void *arg, struct udp_pcb *pcb, struct pbuf *p, const * RFC 2661 does not specify whether the PPP frame in the L2TP payload should * have a HDLC header or not. We handle both cases for compatibility. */ - GETSHORT(hflags, inp); - if (hflags == 0xff03) { - pbuf_header(p, -(s16_t)2); + if (p->len >= 2) { + GETSHORT(hflags, inp); + if (hflags == 0xff03) { + pbuf_header(p, -(s16_t)2); + } } /* Dispatch the packet thereby consuming it. */ ppp_input(l2tp->ppp, p); @@ -510,7 +512,7 @@ static void pppol2tp_dispatch_control_packet(pppol2tp_pcb *l2tp, u16_t port, str } /* ZLB packets */ - if (p->len == 0) { + if (p->tot_len == 0) { return; }