[Bug 271935] a short PPP LCP Identification packet can cause a wild write in ppp
Date: Sat, 10 Jun 2023 10:25:24 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=271935 Bug ID: 271935 Summary: a short PPP LCP Identification packet can cause a wild write in ppp Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu Attachment #242711 text/plain mime type: Created attachment 242711 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=242711&action=edit send ppp a too-short LCP Identification packet which causes a wild write Once a PPPOE connection is set up, this packet: xx xx xx xx xx xx yy yy yy yy yy yy 88 64 // ethernet header 11 00 00 01 // pppoe header 00 06 // length c0 21 // LCP 0c // CODE_IDENT from rfc-1570 00 // identifier 00 00 // length will cause ppp's FsmRecvIdent() to write a '\0' in a wrong place: u_short len; len = ntohs(lhp->length) - sizeof *lhp; if (len >= 4) { ...; cp[len] = '\0'; In this situation, lhp->length is 0, so len is 65532. I've attached a demo, pppoe13a.c. The problem is likely only visible with something like valgrind, which the demo program runs. A backtrace: #0 0x000000000013dbb2 in FsmRecvIdent (fp=0x409ed1e8, lhp=<optimized out>, bp=0x41245000) at /usr/rtm/symbsd/src/usr.sbin/ppp/fsm.c:1013 #1 0x000000000013c80c in fsm_Input (fp=0x409ed1e8, bp=0x41245000) at /usr/rtm/symbsd/src/usr.sbin/ppp/fsm.c:1099 #2 0x0000000000145bf8 in lcp_Input (bundle=<optimized out>, l=0x409ed000, bp=0x41245000) at /usr/rtm/symbsd/src/usr.sbin/ppp/lcp.c:1313 #3 0x0000000000147b2e in Despatch (bundle=<optimized out>, l=<optimized out>, bp=<optimized out>, proto=<optimized out>) at /usr/rtm/symbsd/src/usr.sbin/ppp/link.c:381 #4 0x00000000001479ce in link_PullPacket (l=0x409ed000, buf=<optimized out>, len=<optimized out>, b=0x1691f8 <bundle_Create.bundle>) at /usr/rtm/symbsd/src/usr.sbin/ppp/link.c:323 #5 0x00000000001295d0 in bundle_DescriptorRead (d=<optimized out>, bundle=0x1691f8 <bundle_Create.bundle>, fdset=0x408a16d0) at /usr/rtm/symbsd/src/usr.sbin/ppp/bundle.c:546 #6 0x000000000014ac30 in DoLoop (bundle=0x1691f8 <bundle_Create.bundle>) at /usr/rtm/symbsd/src/usr.sbin/ppp/main.c:661 #7 0x000000000014a55a in main (argc=<optimized out>, argv=<optimized out>) at /usr/rtm/symbsd/src/usr.sbin/ppp/main.c:535 -- You are receiving this mail because: You are the assignee for the bug.