On Tue, Aug 30, 2022 at 03:41:29PM +0200, Alexander Bluhm wrote:
> Hi,
>
> I looks like syzkaller has found a missing input validation in pipex.
>
> https://syzkaller.appspot.com/bug?id=c7ac769bd7ee15549b8a2be188bcee07d98a5357
>
> As I have no pipex setup, can anyone test this diff please?
>
ok mvs@
> bluhm
>
> Index: net/pipex.c
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/sys/net/pipex.c,v
> retrieving revision 1.147
> diff -u -p -r1.147 pipex.c
> --- net/pipex.c 25 Jul 2022 08:28:42 -0000 1.147
> +++ net/pipex.c 30 Aug 2022 13:21:03 -0000
> @@ -277,12 +277,24 @@ pipex_init_session(struct pipex_session
> }
> #ifdef PIPEX_MPPE
> if ((req->pr_ppp_flags & PIPEX_PPP_MPPE_ACCEPTED) != 0) {
> - if (req->pr_mppe_recv.keylenbits <= 0)
> + switch (req->pr_mppe_recv.keylenbits) {
> + case 40:
> + case 56:
> + case 128:
> + break;
> + default:
> return (EINVAL);
> + }
> }
> if ((req->pr_ppp_flags & PIPEX_PPP_MPPE_ENABLED) != 0) {
> - if (req->pr_mppe_send.keylenbits <= 0)
> + switch (req->pr_mppe_send.keylenbits) {
> + case 40:
> + case 56:
> + case 128:
> + break;
> + default:
> return (EINVAL);
> + }
> }
> if ((req->pr_ppp_flags & PIPEX_PPP_MPPE_REQUIRED) != 0) {
> if ((req->pr_ppp_flags &
>
