Date: Sat, 03 Jun 2023 14:34:12 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 271805] off-by-one error in protoname() in ppp's lcp.c -> bad pointer dereference Message-ID: <bug-271805-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D271805 Bug ID: 271805 Summary: off-by-one error in protoname() in ppp's lcp.c -> bad pointer dereference Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu Attachment #242575 text/plain mime type: Created attachment 242575 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D242575&action= =3Dedit crash ppp by tripping over an off-by-one error in protoname() In /usr/src/usr.sbin/ppp/lcp.c, in protoname(): if (proto > sizeof cftypes / sizeof *cftypes || cftypes[proto] =3D=3D NUL= L) return HexStr(proto, NULL, 0); I think it should be >=3D rather than >. I've attached a demo program, which produces a crash with this backtrace: #0 strlen () at /usr/src/lib/libc/amd64/string/strlen.S:47 #1 0x000022d936d7ba23 in __vfprintf (fp=3D0x22d931e9c888, locale=3D0x22d93= 6e3b278 <__xlocale_global_locale>, fmt0=3D0x22d111d89c2f " %s[%d]", ap=3D0x22d931e9= c9c0) at /usr/src/lib/libc/stdio/vfprintf.c:854 #2 0x000022d936d78ab0 in snprintf (str=3D0x22d931e9cae0 "\035", n=3D19, fmt=3D0x22d111d89c2f " %s[%d]") at /usr/src/lib/libc/stdio/snprintf.c:74 #3 0x000022d111dc24da in LcpDecodeConfig (fp=3D0x22d93917b7e8, cp=3D0x22d9= 3919f237 '\245' <repeats 200 times>...,=20 end=3D0x22d93919f16c "\377\377\377\377\377\377\377\377\263=C3=84=C2=A5"= , '\245' <repeats 137 times>, mode_type=3D0, dec=3D0x22d931e9cd50) at /usr/src/usr.sbin/ppp/lcp.c:683 #4 0x000022d111db68f6 in FsmRecvConfigReq (fp=3D0x22d93917b7e8, lhp=3D0x22d931e9cee8, bp=3D0x22d93919f100) at /usr/src/usr.sbin/ppp/fsm.c:4= 96 #5 0x000022d111db5fd0 in fsm_Input (fp=3Dfp@entry=3D0x22d93917b7e8, bp=3Dbp@entry=3D0x22d93919f100) at /usr/src/usr.sbin/ppp/fsm.c:1096 #6 0x000022d111dc1d0c in lcp_Input (bundle=3D<optimized out>, l=3D<optimiz= ed out>, bp=3D0x22d93919f100) at /usr/src/usr.sbin/ppp/lcp.c:1305 #7 0x000022d111dc416c in Despatch (bundle=3D0x22d111dea4b0 <bundle_Create.bundle>, l=3D0x22d93917b600, bp=3D0x22d93919f100, proto=3D<o= ptimized out>) at /usr/src/usr.sbin/ppp/link.c:381 #8 link_PullPacket (l=3D0x22d93917b600, buf=3D<optimized out>, len=3D<opti= mized out>, b=3D0x22d111dea4b0 <bundle_Create.bundle>) at /usr/src/usr.sbin/ppp/link.c:323 #9 0x000022d111d9de25 in bundle_DescriptorRead (d=3D<optimized out>, bundle=3D0x22d111dea4b0 <bundle_Create.bundle>, fdset=3D0x22d9391a6140) at /usr/src/usr.sbin/ppp/bundle.c:546 #10 0x000022d111dc7704 in DoLoop (bundle=3D0x22d111dea4b0 <bundle_Create.bu= ndle>) at /usr/src/usr.sbin/ppp/main.c:661 #11 main (argc=3D3, argv=3D<optimized out>) at /usr/src/usr.sbin/ppp/main.c= :535 --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-271805-227>