untrusted comment: verify with openbsd-73-base.pub
RWQS90bYzZ4XFt1e27Qzdj+l6gE2tG5CvsUdswq6CGtuejEJvuRrTpzYJYAZFVZ0yNwmuc+2Li7rcXcyqJKdu01UF4uvrRmZHwQ=

OpenBSD 7.3 errata 016, September 21, 2023:

npppd(8) could crash by a l2tp message which has an AVP with wrong
length.

Apply by doing:
   signify -Vep /etc/signify/openbsd-73-base.pub \
       -x 016_npppd.patch.sig -m - | (cd /usr/src && patch -p0)

And then rebuild and install npppd:
   cd /usr/src/usr.sbin/npppd
   make obj
   make
   make install

Index: usr.sbin/npppd/l2tp/l2tp_subr.c
===================================================================
RCS file: /cvs/src/usr.sbin/npppd/l2tp/l2tp_subr.c,v
diff -u -p -r1.4 l2tp_subr.c
--- usr.sbin/npppd/l2tp/l2tp_subr.c     8 May 2012 13:15:11 -0000       1.4
+++ usr.sbin/npppd/l2tp/l2tp_subr.c     18 Sep 2023 17:06:34 -0000
@@ -80,10 +80,10 @@ avp_enum(struct l2tp_avp *avp, const u_c
       avp->attr_type |= *(pkt + 1);
       pkt += 2;

-       if (avp->length > pktlen)
+       if (avp->length < 6 || avp->length > pktlen)
               return -1;

-       if (filldata != 0)
+       if (avp->length > 6 && filldata != 0)
               memcpy(avp->attr_value, pkt, avp->length - 6);

       return avp->length;
@@ -285,9 +285,8 @@ avp_find(struct l2tp_avp *avp, const u_c

       while (pktlen >= 6 &&
           (avpsz = avp_enum(avp, pkt, pktlen, fill_data)) > 0) {
+               L2TP_SUBR_ASSERT(avpsz >= 6);
               if (avp->vendor_id != vendor_id || avp->attr_type != attr_type) {
-                       if (avpsz < 6)
-                               return NULL;
                       pkt += avpsz;
                       pktlen -= avpsz;
                       continue;

You are viewing proxied material from ftp.icm.edu.pl. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.