The branch main has been updated by cy: URL: https://cgit.FreeBSD.org/src/commit/?id=37e9d3641ba0e0da0d2bbaa26a59ee56a8cf3ee6
commit 37e9d3641ba0e0da0d2bbaa26a59ee56a8cf3ee6 Author: Cy Schubert <[email protected]> AuthorDate: 2026-05-29 06:17:39 +0000 Commit: Cy Schubert <[email protected]> CommitDate: 2026-06-08 13:51:24 +0000 ipfilter: Fix ip_pptp_pxy (PPTP proxy) length underflow A PPTP client sending a specially crafted PPTP message with a length smaller than the already processed fixed header can panic the system. This resultes in a negative remaining length (a large unsigned 16-bit number). Reported by: Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM-5.1 from Z.ai MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D57383 --- sys/netpfil/ipfilter/netinet/ip_pptp_pxy.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/sys/netpfil/ipfilter/netinet/ip_pptp_pxy.c b/sys/netpfil/ipfilter/netinet/ip_pptp_pxy.c index dc4c67dc14f0..95eaf78bd575 100644 --- a/sys/netpfil/ipfilter/netinet/ip_pptp_pxy.c +++ b/sys/netpfil/ipfilter/netinet/ip_pptp_pxy.c @@ -318,7 +318,9 @@ ipf_p_pptp_nextmessage(fr_info_t *fin, nat_t *nat, pptp_pxy_t *pptp, int rev) * it should match 1a2b3c4d. Byte order is ignored, * deliberately, when printing out the error. */ - len = MIN(8 - pptps->pptps_bytes, dlen); + if (pptps->pptps_bytes >= 8) + return (-1); + len = MIN((size_t)(8 - pptps->pptps_bytes), dlen); COPYDATA(fin->fin_m, off, len, pptps->pptps_wptr); pptps->pptps_bytes += len; pptps->pptps_wptr += len; @@ -361,7 +363,9 @@ ipf_p_pptp_nextmessage(fr_info_t *fin, nat_t *nat, pptp_pxy_t *pptp, int rev) } } - len = MIN(pptps->pptps_len - pptps->pptps_bytes, dlen); + if (pptps->pptps_len <= pptps->pptps_bytes) + return (-1); + len = MIN((size_t)(pptps->pptps_len - pptps->pptps_bytes), dlen); COPYDATA(fin->fin_m, off, len, pptps->pptps_wptr); pptps->pptps_bytes += len; pptps->pptps_wptr += len;
