untrusted comment: verify with openbsd-72-base.pub
RWQTKNnK3CZZ8FRFasLkFh2XrPAuZ0iqGYjkRDFX9rRhzy/rDBiL0X5idu2cVU+JNlRKkWPduCpi5zjB+HOSSGc2fDJ8qLfQZQQ=

OpenBSD 7.2 errata 038, September 21, 2023:

npppd(8) could crash by a l2tp message which has an AVP with wrong
length.

Apply by doing:
    signify -Vep /etc/signify/openbsd-72-base.pub \
        -x 038_npppd.patch.sig -m - | (cd /usr/src && patch -p0)

And then rebuild and install npppd:
    cd /usr/src/usr.sbin/npppd
    make obj
    make
    make install

Index: usr.sbin/npppd/l2tp/l2tp_subr.c
===================================================================
RCS file: /cvs/src/usr.sbin/npppd/l2tp/l2tp_subr.c,v
diff -u -p -r1.4 l2tp_subr.c
--- usr.sbin/npppd/l2tp/l2tp_subr.c	8 May 2012 13:15:11 -0000	1.4
+++ usr.sbin/npppd/l2tp/l2tp_subr.c	18 Sep 2023 17:24:32 -0000
@@ -80,10 +80,10 @@ avp_enum(struct l2tp_avp *avp, const u_c
 	avp->attr_type |= *(pkt + 1);
 	pkt += 2;
 
-	if (avp->length > pktlen)
+	if (avp->length < 6 || avp->length > pktlen)
 		return -1;
 
-	if (filldata != 0)
+	if (avp->length > 6 && filldata != 0)
 		memcpy(avp->attr_value, pkt, avp->length - 6);
 
 	return avp->length;
@@ -285,9 +285,8 @@ avp_find(struct l2tp_avp *avp, const u_c
 
 	while (pktlen >= 6 &&
 	    (avpsz = avp_enum(avp, pkt, pktlen, fill_data)) > 0) {
+		L2TP_SUBR_ASSERT(avpsz >= 6);
 		if (avp->vendor_id != vendor_id || avp->attr_type != attr_type) {
-			if (avpsz < 6)
-				return NULL;
 			pkt += avpsz;
 			pktlen -= avpsz;
 			continue;