From 38377f60aebb2caf61cc682329d54ff2776fa2c5 Mon Sep 17 00:00:00 2001
From: yasuoka <yasuoka@openbsd.org>
Date: Tue, 23 Jun 2015 07:07:33 +0000
Subject: [PATCH] Fix npppd to check the size of received GRE packets properly.

---
 usr.sbin/npppd/pptp/pptpd.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/usr.sbin/npppd/pptp/pptpd.c b/usr.sbin/npppd/pptp/pptpd.c
index 61b92a7bc89..c9a692657bb 100644
--- a/usr.sbin/npppd/pptp/pptpd.c
+++ b/usr.sbin/npppd/pptp/pptpd.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pptpd.c,v 1.26 2015/06/23 06:59:54 yasuoka Exp $	*/
+/*	$OpenBSD: pptpd.c,v 1.27 2015/06/23 07:07:33 yasuoka Exp $	*/
 
 /*-
  * Copyright (c) 2009 Internet Initiative Japan Inc.
@@ -25,12 +25,12 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */
-/* $Id: pptpd.c,v 1.26 2015/06/23 06:59:54 yasuoka Exp $ */
+/* $Id: pptpd.c,v 1.27 2015/06/23 07:07:33 yasuoka Exp $ */
 
 /**@file
  * This file provides a implementation of PPTP daemon.  Currently it
  * provides functions for PAC (PPTP Access Concentrator) only.
- * $Id: pptpd.c,v 1.26 2015/06/23 06:59:54 yasuoka Exp $
+ * $Id: pptpd.c,v 1.27 2015/06/23 07:07:33 yasuoka Exp $
  */
 #include <sys/types.h>
 #include <sys/socket.h>
@@ -741,7 +741,7 @@ pptpd_gre_input(pptpd_listener *listener, struct sockaddr *peer, u_char *pkt,
 	hlen = iphdr->ip_hl * 4;
 
 	if (iphdr->ip_len > lpkt ||
-	    iphdr->ip_len < sizeof(struct pptp_gre_header)) {
+	    iphdr->ip_len < hlen + sizeof(struct pptp_gre_header)) {
 		pptpd_log(_this, LOG_ERR,
 		    "Received a broken packet: ip_hl=%d iplen=%d lpkt=%d", hlen,
 			iphdr->ip_len, lpkt);
-- 
2.20.1