From c770205890407bf0ebe978c517f5b669c0d6bcc6 Mon Sep 17 00:00:00 2001
From: Dominique Martinet <asmadeus@codewreck.org>
Date: Sat, 5 Nov 2022 21:35:53 +0900
Subject: [PATCH] pppoe_sess_send: check packet length before reading header

if the packet is too small then reading pack + ETH_HLEN is invalid, first
check that the packet is big enough then read the header at an offset we
know is valid

Reported-by: Coverity#375305
---
 pppoe.c | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/pppoe.c b/pppoe.c
index c6bc12d..28d0661 100644
--- a/pppoe.c
+++ b/pppoe.c
@@ -343,7 +343,7 @@ static void pppoe_disc_send(const uint8_t *pack)
 
 void pppoe_sess_send(const uint8_t *pack, uint16_t l, tunnelidt t)
 {
-	struct pppoe_hdr *hdr = (struct pppoe_hdr *)(pack + ETH_HLEN);
+	struct pppoe_hdr *hdr;
 	int n;
 	uint16_t sizeppp;
 	sessionidt s;
@@ -354,6 +354,13 @@ void pppoe_sess_send(const uint8_t *pack, uint16_t l, tunnelidt t)
 		return;
 	}
 
+	if (l < (ETH_HLEN + sizeof(*hdr) + 3))
+	{
+		LOG(3, 0, t, "ERROR pppoe_sess_send: packet too small for pppoe sent (size=%d)\n", l);
+		return;
+	}
+
+	hdr = (struct pppoe_hdr *)(pack + ETH_HLEN);
 	s = ntohs(hdr->sid);
 	if (session[s].tunnel != t)
 	{
@@ -361,12 +368,6 @@ void pppoe_sess_send(const uint8_t *pack, uint16_t l, tunnelidt t)
 		return;
 	}
 
-	if (l < (ETH_HLEN + sizeof(*hdr) + 3))
-	{
-		LOG(0, s, t, "ERROR pppoe_sess_send: packet too small for pppoe sent (size=%d)\n", l);
-		return;
-	}
-
 	// recalculate the ppp frame length
 	sizeppp = l - (ETH_HLEN + sizeof(*hdr));
 	hdr->length = htons(sizeppp);