PPP: report invalid PAP AACK/ANAK packets

I just came across a broken PPP PAP ACK packet which was just 4 bytes
long, because it lacked the message-length octet.

pppd 2.4.5 accepts such truncated PPP PAP ACKs and only logs a debugging
message, but at least it generates 5 byte packets. LWIP copied that
code. TI NDK accepts truncated packets as well, although it also
generates them, so perhaps it counts less. Wireshark correctly detects
truncated authentication ACKs for PAP in PPP, but tcpdump does not.

diff --git a/print-ppp.c b/print-ppp.c
index c16801fba31f6d02a877d6465a602e5385c1f4cd..0cc030b3f8305d85306e8ea8c775784af0688a27 100644 (file)
--- a/print-ppp.c
+++ b/print-ppp.c
@@ -972,6 +972,13 @@ handle_pap(netdissect_options *ndo,
                break;
        case PAP_AACK:
        case PAP_ANAK:
+               /* Although some implementations ignore truncation at
+                * this point and at least one generates a truncated
+                * packet, RFC 1334 section 2.2.2 clearly states that
+                * both AACK and ANAK are at least 5 bytes long.
+                */
+               if (len < 5)
+                       goto trunc;
                if (length - (p - p0) < 1)
                        return;
                ND_TCHECK(*p);