From ffcaf851ca90cbd6cd30723a0273b5eee8911c4b Mon Sep 17 00:00:00 2001
From: Samuel Thibault <samuel.thibault@ens-lyon.org>
Date: Sat, 8 Mar 2025 18:39:20 -0500
Subject: [PATCH] ppp: Also choke on options with invalid length 1

---
 ppp.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/ppp.c b/ppp.c
index 7f5a5d2..57b4340 100644
--- a/ppp.c
+++ b/ppp.c
@@ -631,7 +631,7 @@ void processlcp(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l)
 			int type = o[0];
 			int length = o[1];
 
-			if (length == 0 || type == 0 || x < length) break;
+			if (length == 0 || length == 1 || type == 0 || x < length) break;
 			switch (type)
 			{
 				case 1: // Maximum-Receive-Unit
@@ -1314,7 +1314,7 @@ void processipcp(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l)
 
 		while (length > 2)
 		{
-			if (!o[1] || o[1] > length) return;
+			if (!o[1] || o[1] == 1 || o[1] > length) return;
 
 			switch (*o)
 			{
@@ -1573,7 +1573,7 @@ void processipv6cp(sessionidt s, tunnelidt t, uint8_t *p, uint16_t l)
 
 		while (length > 2)
 		{
-			if (!o[1] || o[1] > length) return;
+			if (!o[1] || o[1] == 1 || o[1] > length) return;
 
 			switch (*o)
 			{