Implement a fix from OpenBSD 5.6-stable:

bluerise · bluerise · commit c056ab502e77 · 2014-12-10T21:51:53.000+01:00
Check the header fields of GRE and MPPE packets strictly.
diff --git a/sys/net/pipex.c b/sys/net/pipex.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pipex.c,v 1.55 2014/07/22 11:06:10 mpi Exp $	*/
+/*	$OpenBSD: pipex.c,v 1.55.4.1 2014/12/01 06:57:33 yasuoka Exp $	*/
 
 /*-
  * Copyright (c) 2009 Internet Initiative Japan Inc.
@@ -1037,6 +1037,7 @@ pipex_ppp_input(struct mbuf *m0, struct pipex_session *session, int decrypted)
 	struct m_tag *mtag;
 	struct pipex_tag *tag;
 
+	KASSERT(m0->m_pkthdr.len >= PIPEX_PPPMINLEN);
 	proto = pipex_ppp_proto(m0, session, 0, &hlen);
 #ifdef PIPEX_MPPE
 	if (proto == PPP_COMP) {
@@ -1294,7 +1295,8 @@ pipex_common_input(struct pipex_session *session, struct mbuf *m0, int hlen,
 	int proto, ppphlen;
 	u_char code;
 
-	if (m0->m_pkthdr.len < hlen + PIPEX_PPPMINLEN)
+	if ((m0->m_pkthdr.len < hlen + PIPEX_PPPMINLEN) ||
+	    (plen < PIPEX_PPPMINLEN))
 		goto drop;
 
 	proto = pipex_ppp_proto(m0, session, hlen, &ppphlen);
@@ -1358,6 +1360,7 @@ pipex_ppp_proto(struct mbuf *m0, struct pipex_session *session, int off,
 	int proto;
 	u_char *cp, pktbuf[4];
 
+	KASSERT(m0->m_pkthdr.len > sizeof(pktbuf));
 	m_copydata(m0, off, sizeof(pktbuf), pktbuf);
 	cp = pktbuf;
 
@@ -1621,6 +1624,13 @@ pipex_pptp_lookup_session(struct mbuf *m0)
 		goto not_ours;
 	}
 
+	/* flag check */
+	if ((flags & PIPEX_GRE_UNUSEDFLAGS) != 0) {
+		PIPEX_DBG((NULL, LOG_DEBUG,
+		    "<%s> gre header has unused flags at pptp.", __func__));
+		goto not_ours;
+	}
+
 	/* lookup pipex session table */
 	id = ntohs(gre.call_id);
 	session = pipex_lookup_by_session_id(PIPEX_PROTO_PPTP, id);
@@ -2575,6 +2585,8 @@ pipex_mppe_input(struct mbuf *m0, struct pipex_session *session)
 		mppe->coher_cnt++;
 		mppe->coher_cnt &= PIPEX_COHERENCY_CNT_MASK;
 	}
+	if (m0->m_pkthdr.len < PIPEX_PPPMINLEN)
+		goto drop;
 
 	pipex_ppp_input(m0, session, 1);
 
diff --git a/sys/net/pipex_local.h b/sys/net/pipex_local.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pipex_local.h,v 1.19 2013/04/20 07:54:28 yasuoka Exp $	*/
+/*	$OpenBSD: pipex_local.h,v 1.19.8.1 2014/12/01 06:57:33 yasuoka Exp $	*/
 
 /*
  * Copyright (c) 2009 Internet Initiative Japan Inc.
@@ -217,7 +217,8 @@ struct pipex_gre_header {
 #define PIPEX_GRE_SFLAG			0x1000	/* seq present */
 #define PIPEX_GRE_AFLAG			0x0080	/* ack present */
 #define PIPEX_GRE_VER			0x0001	/* gre version code */
-#define PIPEX_GRE_VERMASK		0x0003	/* gre version mask */
+#define PIPEX_GRE_VERMASK		0x0007	/* gre version mask */
+#define PIPEX_GRE_UNUSEDFLAGS		0xcf78	/* unused at pptp. set 0 in rfc2637 */
 
 	uint16_t type;
 #define PIPEX_GRE_PROTO_PPP		0x880b	/* gre/ppp */
