Apply by doing: cd /usr/src patch -p0 < 022_pppd.patch Then rebuild and install pppd: cd usr.sbin/pppd make obj make make install Index: usr.sbin/pppd/cbcp.c =================================================================== RCS file: /cvs/src/usr.sbin/pppd/cbcp.c,v retrieving revision 1.5 retrieving revision 1.5.8.1 diff -u -p -r1.5 -r1.5.8.1 --- usr.sbin/pppd/cbcp.c 13 Sep 2002 18:19:45 -0000 1.5 +++ usr.sbin/pppd/cbcp.c 5 Nov 2004 01:46:25 -0000 1.5.8.1 @@ -147,13 +147,10 @@ cbcp_input(unit, inpacket, pktlen) GETCHAR(id, inp); GETSHORT(len, inp); -#if 0 - if (len > pktlen) { + if (len < CBCP_MINLEN || len > pktlen) { syslog(LOG_ERR, "CBCP packet: invalid length"); return; } -#endif - len -= CBCP_MINLEN; switch(code) { @@ -286,12 +283,16 @@ cbcp_recvreq(us, pckt, pcktlen) address[0] = 0; - while (len) { + while (len > 1) { syslog(LOG_DEBUG, "length: %d", len); GETCHAR(type, pckt); GETCHAR(opt_len, pckt); + if (len < opt_len) + break; + len -= opt_len; + if (opt_len > 2) GETCHAR(delay, pckt); @@ -320,7 +321,6 @@ cbcp_recvreq(us, pckt, pcktlen) case CB_CONF_LIST: break; } - len -= opt_len; } cbcp_resp(us); @@ -414,10 +414,13 @@ cbcp_recvack(us, pckt, len) int opt_len; char address[256]; - if (len) { + if (len > 1) { GETCHAR(type, pckt); GETCHAR(opt_len, pckt); - + + if (opt_len > len) + return; + if (opt_len > 2) GETCHAR(delay, pckt);