Created attachment 242704 [details]
crash ppp by sending a short pred1 compressed packet

If the sender has negotiated ppp pred1 compression, then sending this
too-short compressed HDLC frame:

  7e fd ff 4f cc 7e

causes ppp's Pred1Input() to pass a negative length to decompress(),
which (since decompress() only checks for equality with zero) is
effectively a huge length.

The negative length comes from this subtraction in Pred1Input():

  olen = m_length(bp);
  ...;
    len1 = decompress(state, cp, pp, olen - 4);

With the above input frame, the mbuf at this point has a length of 3.

A backtrace from the attached demo ppp27a.c:

#0  0x000009cc8c70aff0 in decompress (state=0x9d4b663c700, 
    source=0x9d4b66f28e9 "", 
    dest=0x9d4b6787000 <error: Cannot access memory at address 0x9d4b6787000>, 
    len=-1025456) at /usr/src/usr.sbin/ppp/pred.c:119
#1  Pred1Input (v=0x9d4b663c700, ccp=0x9d4b65d5340, proto=0x9d4ad6d2f1e, 
    bp=0x9d4b65f8300) at /usr/src/usr.sbin/ppp/pred.c:238
#2  0x000009cc8c6dda10 in ccp_LayerPull (b=<optimized out>, l=<optimized out>, 
    bp=0x9d4b65f8300, proto=0x9d4ad6d2f1e) at /usr/src/usr.sbin/ppp/ccp.c:765
#3  0x000009cc8c6feff4 in link_PullPacket (l=0x9d4b65d4600, 
    buf=<optimized out>, len=<optimized out>, 
    b=0x9cc8c7254b0 <bundle_Create.bundle>) at /usr/src/usr.sbin/ppp/link.c:315
#4  0x000009cc8c6d8e25 in bundle_DescriptorRead (d=<optimized out>, 
    bundle=0x9cc8c7254b0 <bundle_Create.bundle>, fdset=0x9d4b65ff140)
    at /usr/src/usr.sbin/ppp/bundle.c:546
#5  0x000009cc8c702704 in DoLoop (bundle=0x9cc8c7254b0 <bundle_Create.bundle>)
    at /usr/src/usr.sbin/ppp/main.c:661
#6  main (argc=3, argv=<optimized out>) at /usr/src/usr.sbin/ppp/main.c:535