mirror of
https://git.freebsd.org/ports.git
synced 2025-05-31 02:16:27 -04:00
1f6fcc264e
This is security fix for PPPoE servers. Insufficient validation of incoming PPPoE Discovery request specially crafted by unauthenticated user might lead to unexpected termination of the process. The problem affects mpd versions since 5.0. Installations not using PPPoE server configuration were not affected. Reported by: paul & Yannick C at SourceForge Tested by: paul & Yannick C at SourceForge Security: f55921aa-10c9-11ec-8647-00e0670f2660
34 lines
1.1 KiB
C
34 lines
1.1 KiB
C
Index: src/pppoe.c
|
|
===================================================================
|
|
--- src/pppoe.c (revision 2420)
|
|
+++ src/pppoe.c (revision 2423)
|
|
@@ -1257,6 +1257,8 @@ PppoeListenEvent(int type, void *arg)
|
|
const struct pppoe_hdr *ph;
|
|
const struct pppoe_tag *tag;
|
|
|
|
+ u_int16_t length;
|
|
+
|
|
union {
|
|
u_char buf[sizeof(struct ngpppoe_init_data) + MAX_SESSION];
|
|
struct ngpppoe_init_data poeid;
|
|
@@ -1288,6 +1290,20 @@ PppoeListenEvent(int type, void *arg)
|
|
|
|
wh = (struct pppoe_full_hdr *)response;
|
|
ph = &wh->ph;
|
|
+
|
|
+ /* Sanity check */
|
|
+ length = ntohs(ph->length);
|
|
+ if (length > (size_t)sz - sizeof(struct pppoe_full_hdr)) {
|
|
+ Log(LG_PHYS, ("Ignored incoming PPPoE connection request "
|
|
+ "via %s for service \"%s\" from %s "
|
|
+ "due to bad length %hu > %u",
|
|
+ PIf->ifnodepath, session,
|
|
+ ether_ntoa((const struct ether_addr *)&wh->eh.ether_shost),
|
|
+ length,
|
|
+ (unsigned)((size_t)sz - sizeof(struct pppoe_full_hdr))));
|
|
+ return;
|
|
+ }
|
|
+
|
|
if ((tag = get_tag(ph, PTT_SRV_NAME))) {
|
|
size_t len = ntohs(tag->tag_len);
|
|
if (len >= sizeof(real_session))
|