Module Name: src
Committed By: riastradh
Date: Wed Jul 6 08:07:23 UTC 2022
Modified Files:
src/sys/net: if_ppp.c
Log Message:
net/if_ppp.c: Avoid user-controlled overrun in PPPIOCSCOMPRESS.
Reported-by: syzbot+2c7bda7dc2b6c0d4f...@syzkaller.appspotmail.com
To generate a diff of this commit:
cvs rdiff -u -r1.168 -r1.169 src/sys/net/if_ppp.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/if_ppp.c
diff -u src/sys/net/if_ppp.c:1.168 src/sys/net/if_ppp.c:1.169
--- src/sys/net/if_ppp.c:1.168 Wed Jul 6 08:06:59 2022
+++ src/sys/net/if_ppp.c Wed Jul 6 08:07:23 2022
@@ -1,4 +1,4 @@
-/* $NetBSD: if_ppp.c,v 1.168 2022/07/06 08:06:59 riastradh Exp $ */
+/* $NetBSD: if_ppp.c,v 1.169 2022/07/06 08:07:23 riastradh Exp $ */
/* Id: if_ppp.c,v 1.6 1997/03/04 03:33:00 paulus Exp */
/*
@@ -102,7 +102,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_ppp.c,v 1.168 2022/07/06 08:06:59 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_ppp.c,v 1.169 2022/07/06 08:07:23 riastradh Exp $");
#ifdef _KERNEL_OPT
#include "ppp.h"
@@ -597,6 +597,8 @@ pppioctl(struct ppp_softc *sc, u_long cm
nb = odp->length;
if (nb > sizeof(ccp_option))
nb = sizeof(ccp_option);
+ if (nb < 3)
+ return EINVAL;
if ((error = copyin(odp->ptr, ccp_option, nb)) != 0)
return error;
/* preliminary check on the length byte */
