pipex_pptp_userland_output() calls always m_pullup() 16 bytes to the
GRE message. But when npppd send a ack-only GRE message, the message
will be only 12 bytes, so the m_pullup() will fail. call m_pullup()
with proper length.
ok?
--- pipex.c-ORIG Mon Sep 27 09:32:16 2010
+++ pipex.c Mon Sep 27 09:46:54 2010
@@ -1808,22 +1808,30 @@ pipex_pptp_userland_lookup_session(struct mbuf *m0, st
struct mbuf *
pipex_pptp_userland_output(struct mbuf *m0, struct pipex_session *session)
{
- struct pipex_gre_header *gre;
+ int len;
+ struct pipex_gre_header *gre, gre0;
uint16_t flags;
u_char *cp, *cp0;
uint32_t val32;
+ len = sizeof(struct pipex_gre_header);
+ m_copydata(m0, 0, len, (caddr_t)&gre0);
+ gre = &gre0;
+ flags = ntohs(gre->flags);
+ if ((flags & PIPEX_GRE_SFLAG) != 0)
+ len += 4;
+ if ((flags & PIPEX_GRE_AFLAG) != 0)
+ len += 4;
+
/* check length */
- PIPEX_PULLUP(m0, sizeof(struct pipex_gre_header) + 8);
+ PIPEX_PULLUP(m0, len);
if (m0 == NULL) {
- PIPEX_DBG((session, LOG_DEBUG,
- "gre header is too short."));
+ PIPEX_DBG((session, LOG_DEBUG, "gre header is too short."));
return (NULL);
}
gre = mtod(m0, struct pipex_gre_header *);
cp = PIPEX_SEEK_NEXTHDR(gre, sizeof(struct pipex_gre_header), u_char *);
- flags = ntohs(gre->flags);
/*
* overwrite sequence numbers to adjust a gap between pipex and
