[Bug 271935] a short PPP LCP Identification packet can cause a wild write in ppp

From: <bugzilla-noreply_at_freebsd.org>
Date: Sat, 10 Jun 2023 10:25:24 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=271935

            Bug ID: 271935
           Summary: a short PPP LCP Identification packet can cause a wild
                    write in ppp
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu
 Attachment #242711 text/plain
         mime type:

Created attachment 242711
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=242711&action=edit
send ppp a too-short LCP Identification packet which causes a wild write

Once a PPPOE connection is set up, this packet:

    xx xx xx xx xx xx yy yy yy yy yy yy 88 64 // ethernet header
    11 00 00 01 // pppoe header
    00 06 // length
    c0 21 // LCP
    0c // CODE_IDENT from rfc-1570
    00 // identifier
    00 00 // length

will cause ppp's FsmRecvIdent() to write a '\0' in a wrong place:

  u_short len;
  len = ntohs(lhp->length) - sizeof *lhp;
  if (len >= 4) {
    ...;
    cp[len] = '\0';

In this situation, lhp->length is 0, so len is 65532. 

I've attached a demo, pppoe13a.c. The problem is likely only visible
with something like valgrind, which the demo program runs. A
backtrace:

#0  0x000000000013dbb2 in FsmRecvIdent (fp=0x409ed1e8, lhp=<optimized out>, 
    bp=0x41245000) at /usr/rtm/symbsd/src/usr.sbin/ppp/fsm.c:1013
#1  0x000000000013c80c in fsm_Input (fp=0x409ed1e8, bp=0x41245000)
    at /usr/rtm/symbsd/src/usr.sbin/ppp/fsm.c:1099
#2  0x0000000000145bf8 in lcp_Input (bundle=<optimized out>, l=0x409ed000, 
    bp=0x41245000) at /usr/rtm/symbsd/src/usr.sbin/ppp/lcp.c:1313
#3  0x0000000000147b2e in Despatch (bundle=<optimized out>, l=<optimized out>, 
    bp=<optimized out>, proto=<optimized out>)
    at /usr/rtm/symbsd/src/usr.sbin/ppp/link.c:381
#4  0x00000000001479ce in link_PullPacket (l=0x409ed000, buf=<optimized out>, 
    len=<optimized out>, b=0x1691f8 <bundle_Create.bundle>)
    at /usr/rtm/symbsd/src/usr.sbin/ppp/link.c:323
#5  0x00000000001295d0 in bundle_DescriptorRead (d=<optimized out>, 
    bundle=0x1691f8 <bundle_Create.bundle>, fdset=0x408a16d0)
    at /usr/rtm/symbsd/src/usr.sbin/ppp/bundle.c:546
#6  0x000000000014ac30 in DoLoop (bundle=0x1691f8 <bundle_Create.bundle>)
    at /usr/rtm/symbsd/src/usr.sbin/ppp/main.c:661
#7  0x000000000014a55a in main (argc=<optimized out>, argv=<optimized out>)
    at /usr/rtm/symbsd/src/usr.sbin/ppp/main.c:535

-- 
You are receiving this mail because:
You are the assignee for the bug.