Date: Sat, 10 Jun 2023 10:25:24 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 271935] a short PPP LCP Identification packet can cause a wild write in ppp Message-ID: <bug-271935-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D271935 Bug ID: 271935 Summary: a short PPP LCP Identification packet can cause a wild write in ppp Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu Attachment #242711 text/plain mime type: Created attachment 242711 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D242711&action= =3Dedit send ppp a too-short LCP Identification packet which causes a wild write Once a PPPOE connection is set up, this packet: xx xx xx xx xx xx yy yy yy yy yy yy 88 64 // ethernet header 11 00 00 01 // pppoe header 00 06 // length c0 21 // LCP 0c // CODE_IDENT from rfc-1570 00 // identifier 00 00 // length will cause ppp's FsmRecvIdent() to write a '\0' in a wrong place: u_short len; len =3D ntohs(lhp->length) - sizeof *lhp; if (len >=3D 4) { ...; cp[len] =3D '\0'; In this situation, lhp->length is 0, so len is 65532.=20 I've attached a demo, pppoe13a.c. The problem is likely only visible with something like valgrind, which the demo program runs. A backtrace: #0 0x000000000013dbb2 in FsmRecvIdent (fp=3D0x409ed1e8, lhp=3D<optimized o= ut>,=20 bp=3D0x41245000) at /usr/rtm/symbsd/src/usr.sbin/ppp/fsm.c:1013 #1 0x000000000013c80c in fsm_Input (fp=3D0x409ed1e8, bp=3D0x41245000) at /usr/rtm/symbsd/src/usr.sbin/ppp/fsm.c:1099 #2 0x0000000000145bf8 in lcp_Input (bundle=3D<optimized out>, l=3D0x409ed0= 00,=20 bp=3D0x41245000) at /usr/rtm/symbsd/src/usr.sbin/ppp/lcp.c:1313 #3 0x0000000000147b2e in Despatch (bundle=3D<optimized out>, l=3D<optimize= d out>,=20 bp=3D<optimized out>, proto=3D<optimized out>) at /usr/rtm/symbsd/src/usr.sbin/ppp/link.c:381 #4 0x00000000001479ce in link_PullPacket (l=3D0x409ed000, buf=3D<optimized= out>,=20 len=3D<optimized out>, b=3D0x1691f8 <bundle_Create.bundle>) at /usr/rtm/symbsd/src/usr.sbin/ppp/link.c:323 #5 0x00000000001295d0 in bundle_DescriptorRead (d=3D<optimized out>,=20 bundle=3D0x1691f8 <bundle_Create.bundle>, fdset=3D0x408a16d0) at /usr/rtm/symbsd/src/usr.sbin/ppp/bundle.c:546 #6 0x000000000014ac30 in DoLoop (bundle=3D0x1691f8 <bundle_Create.bundle>) at /usr/rtm/symbsd/src/usr.sbin/ppp/main.c:661 #7 0x000000000014a55a in main (argc=3D<optimized out>, argv=3D<optimized o= ut>) at /usr/rtm/symbsd/src/usr.sbin/ppp/main.c:535 --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-271935-227>