From owner-dev-commits-ports-branches@freebsd.org Wed Sep 8 22:19:17 2021 Return-Path: Delivered-To: dev-commits-ports-branches@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 595EA66317F; Wed, 8 Sep 2021 22:19:17 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4H4c4P0JsRz55L7; Wed, 8 Sep 2021 22:19:17 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id D126959E7; Wed, 8 Sep 2021 22:19:16 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 188MJGfq029730; Wed, 8 Sep 2021 22:19:16 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 188MJG8C029729; Wed, 8 Sep 2021 22:19:16 GMT (envelope-from git) Date: Wed, 8 Sep 2021 22:19:16 GMT Message-Id: <202109082219.188MJG8C029729@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-branches@FreeBSD.org From: Eugene Grosbein Subject: git: f51bea8bb347 - 2021Q3 - net/mpd5: fix PPPoE Server remotely exploitable crash MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: eugen X-Git-Repository: ports X-Git-Refname: refs/heads/2021Q3 X-Git-Reftype: branch X-Git-Commit: f51bea8bb3478f022a3c337273c07ccfb8cc5694 Auto-Submitted: auto-generated X-BeenThere: dev-commits-ports-branches@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commits to the quarterly branches of the FreeBSD ports repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Sep 2021 22:19:17 -0000 The branch 2021Q3 has been updated by eugen: URL: https://cgit.FreeBSD.org/ports/commit/?id=f51bea8bb3478f022a3c337273c07ccfb8cc5694 commit f51bea8bb3478f022a3c337273c07ccfb8cc5694 Author: Eugene Grosbein AuthorDate: 2021-09-08 22:04:31 +0000 Commit: Eugene Grosbein CommitDate: 2021-09-08 22:18:15 +0000 net/mpd5: fix PPPoE Server remotely exploitable crash This is security fix for PPPoE servers. Insufficient validation of incoming PPPoE Discovery request specially crafted by unauthenticated user might lead to unexpected termination of the process. The problem affects mpd versions since 5.0. Installations not using PPPoE server configuration were not affected. Reported by: paul & Yannick C at SourceForge Tested by: paul & Yannick C at SourceForge Security: f55921aa-10c9-11ec-8647-00e0670f2660 (cherry picked from commit 1f6fcc264e1dfc53f5cd42cad335e5375abe080d) --- net/mpd5/Makefile | 2 +- net/mpd5/files/patch-pppoe.c | 34 ++++++++++++++++++++++++++++++++++ 2 files changed, 35 insertions(+), 1 deletion(-) diff --git a/net/mpd5/Makefile b/net/mpd5/Makefile index 1955acfe1817..81fc894b519b 100644 --- a/net/mpd5/Makefile +++ b/net/mpd5/Makefile @@ -2,7 +2,7 @@ PORTNAME= mpd DISTVERSION= 5.9 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= net MASTER_SITES= SF/${PORTNAME}/Mpd5/Mpd-${PORTVERSION} PKGNAMESUFFIX= 5 diff --git a/net/mpd5/files/patch-pppoe.c b/net/mpd5/files/patch-pppoe.c new file mode 100644 index 000000000000..ccc3e117df6a --- /dev/null +++ b/net/mpd5/files/patch-pppoe.c @@ -0,0 +1,34 @@ +Index: src/pppoe.c +=================================================================== +--- src/pppoe.c (revision 2420) ++++ src/pppoe.c (revision 2423) +@@ -1257,6 +1257,8 @@ PppoeListenEvent(int type, void *arg) + const struct pppoe_hdr *ph; + const struct pppoe_tag *tag; + ++ u_int16_t length; ++ + union { + u_char buf[sizeof(struct ngpppoe_init_data) + MAX_SESSION]; + struct ngpppoe_init_data poeid; +@@ -1288,6 +1290,20 @@ PppoeListenEvent(int type, void *arg) + + wh = (struct pppoe_full_hdr *)response; + ph = &wh->ph; ++ ++ /* Sanity check */ ++ length = ntohs(ph->length); ++ if (length > (size_t)sz - sizeof(struct pppoe_full_hdr)) { ++ Log(LG_PHYS, ("Ignored incoming PPPoE connection request " ++ "via %s for service \"%s\" from %s " ++ "due to bad length %hu > %u", ++ PIf->ifnodepath, session, ++ ether_ntoa((const struct ether_addr *)&wh->eh.ether_shost), ++ length, ++ (unsigned)((size_t)sz - sizeof(struct pppoe_full_hdr)))); ++ return; ++ } ++ + if ((tag = get_tag(ph, PTT_SRV_NAME))) { + size_t len = ntohs(tag->tag_len); + if (len >= sizeof(real_session))