Date: Fri, 09 Jun 2023 18:16:17 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 271924] short pred1 compressed packet can cause ppp to write off the end of a buffer Message-ID: <bug-271924-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D271924 Bug ID: 271924 Summary: short pred1 compressed packet can cause ppp to write off the end of a buffer Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu Attachment #242704 text/plain mime type: Created attachment 242704 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D242704&action= =3Dedit crash ppp by sending a short pred1 compressed packet If the sender has negotiated ppp pred1 compression, then sending this too-short compressed HDLC frame: 7e fd ff 4f cc 7e causes ppp's Pred1Input() to pass a negative length to decompress(), which (since decompress() only checks for equality with zero) is effectively a huge length. The negative length comes from this subtraction in Pred1Input(): olen =3D m_length(bp); ...; len1 =3D decompress(state, cp, pp, olen - 4); With the above input frame, the mbuf at this point has a length of 3. A backtrace from the attached demo ppp27a.c: #0 0x000009cc8c70aff0 in decompress (state=3D0x9d4b663c700,=20 source=3D0x9d4b66f28e9 "",=20 dest=3D0x9d4b6787000 <error: Cannot access memory at address 0x9d4b6787= 000>,=20 len=3D-1025456) at /usr/src/usr.sbin/ppp/pred.c:119 #1 Pred1Input (v=3D0x9d4b663c700, ccp=3D0x9d4b65d5340, proto=3D0x9d4ad6d2f= 1e,=20 bp=3D0x9d4b65f8300) at /usr/src/usr.sbin/ppp/pred.c:238 #2 0x000009cc8c6dda10 in ccp_LayerPull (b=3D<optimized out>, l=3D<optimize= d out>,=20 bp=3D0x9d4b65f8300, proto=3D0x9d4ad6d2f1e) at /usr/src/usr.sbin/ppp/ccp= .c:765 #3 0x000009cc8c6feff4 in link_PullPacket (l=3D0x9d4b65d4600,=20 buf=3D<optimized out>, len=3D<optimized out>,=20 b=3D0x9cc8c7254b0 <bundle_Create.bundle>) at /usr/src/usr.sbin/ppp/link= .c:315 #4 0x000009cc8c6d8e25 in bundle_DescriptorRead (d=3D<optimized out>,=20 bundle=3D0x9cc8c7254b0 <bundle_Create.bundle>, fdset=3D0x9d4b65ff140) at /usr/src/usr.sbin/ppp/bundle.c:546 #5 0x000009cc8c702704 in DoLoop (bundle=3D0x9cc8c7254b0 <bundle_Create.bun= dle>) at /usr/src/usr.sbin/ppp/main.c:661 #6 main (argc=3D3, argv=3D<optimized out>) at /usr/src/usr.sbin/ppp/main.c= :535 --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-271924-227>