git: f51bea8bb347 - 2021Q3 - net/mpd5: fix PPPoE Server remotely exploitable crash
Eugene Grosbein
eugen at FreeBSD.org
Wed Sep 8 22:19:17 UTC 2021
The branch 2021Q3 has been updated by eugen:
URL: https://cgit.FreeBSD.org/ports/commit/?id=f51bea8bb3478f022a3c337273c07ccfb8cc5694
commit f51bea8bb3478f022a3c337273c07ccfb8cc5694
Author: Eugene Grosbein <eugen at FreeBSD.org>
AuthorDate: 2021-09-08 22:04:31 +0000
Commit: Eugene Grosbein <eugen at FreeBSD.org>
CommitDate: 2021-09-08 22:18:15 +0000
net/mpd5: fix PPPoE Server remotely exploitable crash
This is security fix for PPPoE servers.
Insufficient validation of incoming PPPoE Discovery request
specially crafted by unauthenticated user might lead to unexpected
termination of the process. The problem affects mpd versions since 5.0.
Installations not using PPPoE server configuration were not affected.
Reported by: paul & Yannick C at SourceForge
Tested by: paul & Yannick C at SourceForge
Security: f55921aa-10c9-11ec-8647-00e0670f2660
(cherry picked from commit 1f6fcc264e1dfc53f5cd42cad335e5375abe080d)
---
net/mpd5/Makefile | 2 +-
net/mpd5/files/patch-pppoe.c | 34 ++++++++++++++++++++++++++++++++++
2 files changed, 35 insertions(+), 1 deletion(-)
diff --git a/net/mpd5/Makefile b/net/mpd5/Makefile
index 1955acfe1817..81fc894b519b 100644
--- a/net/mpd5/Makefile
+++ b/net/mpd5/Makefile
@@ -2,7 +2,7 @@
PORTNAME= mpd
DISTVERSION= 5.9
-PORTREVISION= 1
+PORTREVISION= 2
CATEGORIES= net
MASTER_SITES= SF/${PORTNAME}/Mpd5/Mpd-${PORTVERSION}
PKGNAMESUFFIX= 5
diff --git a/net/mpd5/files/patch-pppoe.c b/net/mpd5/files/patch-pppoe.c
new file mode 100644
index 000000000000..ccc3e117df6a
--- /dev/null
+++ b/net/mpd5/files/patch-pppoe.c
@@ -0,0 +1,34 @@
+Index: src/pppoe.c
+===================================================================
+--- src/pppoe.c (revision 2420)
++++ src/pppoe.c (revision 2423)
+@@ -1257,6 +1257,8 @@ PppoeListenEvent(int type, void *arg)
+ const struct pppoe_hdr *ph;
+ const struct pppoe_tag *tag;
+
++ u_int16_t length;
++
+ union {
+ u_char buf[sizeof(struct ngpppoe_init_data) + MAX_SESSION];
+ struct ngpppoe_init_data poeid;
+@@ -1288,6 +1290,20 @@ PppoeListenEvent(int type, void *arg)
+
+ wh = (struct pppoe_full_hdr *)response;
+ ph = &wh->ph;
++
++ /* Sanity check */
++ length = ntohs(ph->length);
++ if (length > (size_t)sz - sizeof(struct pppoe_full_hdr)) {
++ Log(LG_PHYS, ("Ignored incoming PPPoE connection request "
++ "via %s for service \"%s\" from %s "
++ "due to bad length %hu > %u",
++ PIf->ifnodepath, session,
++ ether_ntoa((const struct ether_addr *)&wh->eh.ether_shost),
++ length,
++ (unsigned)((size_t)sz - sizeof(struct pppoe_full_hdr))));
++ return;
++ }
++
+ if ((tag = get_tag(ph, PTT_SRV_NAME))) {
+ size_t len = ntohs(tag->tag_len);
+ if (len >= sizeof(real_session))
More information about the dev-commits-ports-all
mailing list