$NetBSD: patch-al,v 1.1.1.1 2005/01/02 02:51:42 cube Exp $

--- pppd/cbcp.c.orig	2004-10-28 02:15:36.000000000 +0200
+++ pppd/cbcp.c
@@ -166,7 +166,7 @@ cbcp_input(unit, inpacket, pktlen)
 
     if (pktlen < CBCP_MINLEN) {
 	if (debug)
-	    dbglog("CBCP packet is too small");
+	    dbglog("CBCP packet is too short (%d)", pktlen);
 	return;
     }
 
@@ -176,7 +176,7 @@ cbcp_input(unit, inpacket, pktlen)
 
     if (len > pktlen || len < CBCP_MINLEN) {
 	if (debug)
-	    dbglog("CBCP packet: invalid length %d", len);
+	    dbglog("CBCP packet: invalid length %d/%d", len, pktlen);
         return;
     }
 
@@ -321,6 +321,12 @@ cbcp_recvreq(us, pckt, pcktlen)
 	if (opt_len < 2 || opt_len > len)
 	    break;
 
+	/* seriously malformed, stop processing */
+	if (opt_len > len) {
+	    error("CBCP: Malformed option length (%d/%d)", opt_len, len);
+	    break;
+	}
+
 	if (opt_len > 2)
 	    GETCHAR(delay, pckt);