From: bluhm <bluhm@openbsd.org>
Date: Tue, 30 Aug 2022 19:42:29 +0000 (+0000)
Subject: Syzkaller found a missing input validation in pipex mppe keylenbits.
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=b18f9d9c6b701b3947b7dda3a359c0c4cf1462e6;p=openbsd

Syzkaller found a missing input validation in pipex mppe keylenbits.
Reported-by: syzbot+2eca95b271d07ab91b43@syzkaller.appspotmail.com
tested yasuoka@; OK mvs@ yasuoka@
---

diff --git a/sys/net/pipex.c b/sys/net/pipex.c
index b4b8f6ca909..3a1a524c669 100644
--- a/sys/net/pipex.c
+++ b/sys/net/pipex.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pipex.c,v 1.147 2022/07/25 08:28:42 mvs Exp $ */
+/*	$OpenBSD: pipex.c,v 1.148 2022/08/30 19:42:29 bluhm Exp $ */
 
 /*-
  * Copyright (c) 2009 Internet Initiative Japan Inc.
@@ -277,12 +277,24 @@ pipex_init_session(struct pipex_session **rsession,
 	}
 #ifdef PIPEX_MPPE
 	if ((req->pr_ppp_flags & PIPEX_PPP_MPPE_ACCEPTED) != 0) {
-		if (req->pr_mppe_recv.keylenbits <= 0)
+		switch (req->pr_mppe_recv.keylenbits) {
+		case 40:
+		case 56:
+		case 128:
+			break;
+		default:
 			return (EINVAL);
+		}
 	}
 	if ((req->pr_ppp_flags & PIPEX_PPP_MPPE_ENABLED) != 0) {
-		if (req->pr_mppe_send.keylenbits <= 0)
+		switch (req->pr_mppe_send.keylenbits) {
+		case 40:
+		case 56:
+		case 128:
+			break;
+		default:
 			return (EINVAL);
+		}
 	}
 	if ((req->pr_ppp_flags & PIPEX_PPP_MPPE_REQUIRED) != 0) {
 		if ((req->pr_ppp_flags &