2 files changed, 35 insertions, 1 deletions

diff --git a/net/mpd5/Makefile b/net/mpd5/Makefile
index 1955acfe1817..81fc894b519b 100644
--- a/net/mpd5/Makefile
+++ b/net/mpd5/Makefile
@@ -2,7 +2,7 @@
 
 PORTNAME=	mpd
 DISTVERSION=	5.9
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	net
 MASTER_SITES=	SF/${PORTNAME}/Mpd5/Mpd-${PORTVERSION}
 PKGNAMESUFFIX=	5
diff --git a/net/mpd5/files/patch-pppoe.c b/net/mpd5/files/patch-pppoe.c
new file mode 100644
index 000000000000..ccc3e117df6a
--- /dev/null
+++ b/net/mpd5/files/patch-pppoe.c
@@ -0,0 +1,34 @@
+Index: src/pppoe.c
+===================================================================
+--- src/pppoe.c	(revision 2420)
++++ src/pppoe.c	(revision 2423)
+@@ -1257,6 +1257,8 @@ PppoeListenEvent(int type, void *arg)
+ 	const struct pppoe_hdr	*ph;
+ 	const struct pppoe_tag  *tag;
+ 
++	u_int16_t		length;
++
+ 	union {
+ 	    u_char buf[sizeof(struct ngpppoe_init_data) + MAX_SESSION];
+ 	    struct ngpppoe_init_data poeid;
+@@ -1288,6 +1290,20 @@ PppoeListenEvent(int type, void *arg)
+ 
+ 	wh = (struct pppoe_full_hdr *)response;
+ 	ph = &wh->ph;
++
++	/* Sanity check */
++	length = ntohs(ph->length);
++	if (length > (size_t)sz - sizeof(struct pppoe_full_hdr)) {
++		Log(LG_PHYS, ("Ignored incoming PPPoE connection request "
++		    "via %s for service \"%s\" from %s "
++		    "due to bad length %hu > %u",
++		    PIf->ifnodepath, session,
++		    ether_ntoa((const struct ether_addr *)&wh->eh.ether_shost),
++		    length,
++		    (unsigned)((size_t)sz - sizeof(struct pppoe_full_hdr))));
++		return;
++	}
++
+ 	if ((tag = get_tag(ph, PTT_SRV_NAME))) {
+ 	    size_t len = ntohs(tag->tag_len);
+ 	    if (len >= sizeof(real_session))