Apply by doing:

Apply by doing:
cd /usr/src
patch -p0 < 033_pppd.patch

Then rebuild and install pppd:
cd usr.sbin/pppd
make obj
make
make install

Index: usr.sbin/pppd/cbcp.c
===================================================================
RCS file: /cvs/src/usr.sbin/pppd/cbcp.c,v
retrieving revision 1.5
retrieving revision 1.5.6.1
diff -u -p -r1.5 -r1.5.6.1
--- usr.sbin/pppd/cbcp.c 13 Sep 2002 18:19:45 -0000 1.5
+++ usr.sbin/pppd/cbcp.c 5 Nov 2004 01:54:12 -0000 1.5.6.1
@@ -147,13 +147,10 @@ cbcp_input(unit, inpacket, pktlen)
GETCHAR(id, inp);
GETSHORT(len, inp);

-#if 0
- if (len > pktlen) {
+ if (len < CBCP_MINLEN || len > pktlen) {
syslog(LOG_ERR, "CBCP packet: invalid length");
return;
}
-#endif
-
len -= CBCP_MINLEN;

switch(code) {
@@ -286,12 +283,16 @@ cbcp_recvreq(us, pckt, pcktlen)

address[0] = 0;

- while (len) {
+ while (len > 1) {
syslog(LOG_DEBUG, "length: %d", len);

GETCHAR(type, pckt);
GETCHAR(opt_len, pckt);

+ if (len < opt_len)
+ break;
+ len -= opt_len;
+
if (opt_len > 2)
GETCHAR(delay, pckt);

@@ -320,7 +321,6 @@ cbcp_recvreq(us, pckt, pcktlen)
case CB_CONF_LIST:
break;
}
- len -= opt_len;
}

cbcp_resp(us);
@@ -414,10 +414,13 @@ cbcp_recvack(us, pckt, len)
int opt_len;
char address[256];

- if (len) {
+ if (len > 1) {
GETCHAR(type, pckt);
GETCHAR(opt_len, pckt);
-
+
+ if (opt_len > len)
+ return;
+
if (opt_len > 2)
GETCHAR(delay, pckt);