[Bug 271805] off-by-one error in protoname() in ppp's lcp.c -> bad pointer dereference

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 271805] off-by-one error in protoname() in ppp's lcp.c -> bad pointer dereference"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Sat, 03 Jun 2023 14:34:12 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=271805

            Bug ID: 271805
           Summary: off-by-one error in protoname() in ppp's lcp.c -> bad
                    pointer dereference
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu
 Attachment #242575 text/plain
         mime type:

Created attachment 242575
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=242575&action=edit
crash ppp by tripping over an off-by-one error in protoname()

In /usr/src/usr.sbin/ppp/lcp.c, in protoname():

  if (proto > sizeof cftypes / sizeof *cftypes || cftypes[proto] == NULL)
    return HexStr(proto, NULL, 0);

I think it should be >= rather than >.

I've attached a demo program, which produces a crash with this backtrace:

#0  strlen () at /usr/src/lib/libc/amd64/string/strlen.S:47
#1  0x000022d936d7ba23 in __vfprintf (fp=0x22d931e9c888, locale=0x22d936e3b278
<__xlocale_global_locale>, fmt0=0x22d111d89c2f " %s[%d]", ap=0x22d931e9c9c0)
    at /usr/src/lib/libc/stdio/vfprintf.c:854
#2  0x000022d936d78ab0 in snprintf (str=0x22d931e9cae0 "\035", n=19,
fmt=0x22d111d89c2f " %s[%d]") at /usr/src/lib/libc/stdio/snprintf.c:74
#3  0x000022d111dc24da in LcpDecodeConfig (fp=0x22d93917b7e8, cp=0x22d93919f237
'\245' <repeats 200 times>..., 
    end=0x22d93919f16c "\377\377\377\377\377\377\377\377\263Ä¥", '\245'
<repeats 137 times>, mode_type=0, dec=0x22d931e9cd50) at
/usr/src/usr.sbin/ppp/lcp.c:683
#4  0x000022d111db68f6 in FsmRecvConfigReq (fp=0x22d93917b7e8,
lhp=0x22d931e9cee8, bp=0x22d93919f100) at /usr/src/usr.sbin/ppp/fsm.c:496
#5  0x000022d111db5fd0 in fsm_Input (fp=fp@entry=0x22d93917b7e8,
bp=bp@entry=0x22d93919f100) at /usr/src/usr.sbin/ppp/fsm.c:1096
#6  0x000022d111dc1d0c in lcp_Input (bundle=<optimized out>, l=<optimized out>,
bp=0x22d93919f100) at /usr/src/usr.sbin/ppp/lcp.c:1305
#7  0x000022d111dc416c in Despatch (bundle=0x22d111dea4b0
<bundle_Create.bundle>, l=0x22d93917b600, bp=0x22d93919f100, proto=<optimized
out>) at /usr/src/usr.sbin/ppp/link.c:381
#8  link_PullPacket (l=0x22d93917b600, buf=<optimized out>, len=<optimized
out>, b=0x22d111dea4b0 <bundle_Create.bundle>) at
/usr/src/usr.sbin/ppp/link.c:323
#9  0x000022d111d9de25 in bundle_DescriptorRead (d=<optimized out>,
bundle=0x22d111dea4b0 <bundle_Create.bundle>, fdset=0x22d9391a6140) at
/usr/src/usr.sbin/ppp/bundle.c:546
#10 0x000022d111dc7704 in DoLoop (bundle=0x22d111dea4b0 <bundle_Create.bundle>)
at /usr/src/usr.sbin/ppp/main.c:661
#11 main (argc=3, argv=<optimized out>) at /usr/src/usr.sbin/ppp/main.c:535

-- 
You are receiving this mail because:
You are the assignee for the bug.