Bug 271910 - bad TY_ENDDISC option can cause ppp to write beyond end of buffer
Summary: bad TY_ENDDISC option can cause ppp to write beyond end of buffer
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Some People
Assignee: freebsd-bugs (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-06-08 15:41 UTC by Robert Morris
Modified: 2023-06-08 15:41 UTC (History)
0 users

See Also:

Attachments
send ppp an HDLC frame that causes it to overrun a buffer (1.07 KB, text/plain)
2023-06-08 15:41 UTC, Robert Morris 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Morris 2023-06-08 15:41:47 UTC 
Created attachment 242687 [details]
send ppp an HDLC frame that causes it to overrun a buffer

This HDLC LCP Configure-Request frame:

  7e c0 21 01 01 00 06 13 02 6b 94 7e 

causes ppp/lcp.c's LcpDecodeConfig() to call memcpy() with length =
0xffffffffffffffff here:

    case TY_ENDDISC:
          ...;
          memcpy(p->dl->peer.enddisc.address, opt->data + 1, opt->hdr.len - 3);

opt->hdr.len is the 02 in the frame above, so len - 3 is -1. opt->data
points into the input HDLC frame.

The "- 3" here can also lead to trouble:

      log_Printf(LogLCP, "%s %s\n", request,
                 mp_Enddisc(opt->data[0], opt->data + 1, opt->hdr.len - 3));

Here's a parsing of the frame:

    0x7e,
    0xc0, 0x21, // LCP
    0x01, 0x01, // code=Configure-Request, ID=1
    0x00, 0x06, // length
    0x13, 0x02, // 0x13=Multilink-Endpoint-Discriminator, 2=length
    0x6b, 0x94, // HDLC checksum
    0x7e

Here's a backtrace from the attached demo program ppp3c.c:

#0  memcpy () at /usr/src/lib/libc/amd64/string/memmove.S:306
#1  0x00002433db2ed225 in LcpDecodeConfig (fp=0x243c0533f7e8, 
    cp=0x243c05363165 "\002", end=0x243c05363167 "", mode_type=0, 
    dec=0x243bfc109310) at /usr/src/usr.sbin/ppp/lcp.c:1216
#2  0x00002433db2e08f6 in FsmRecvConfigReq (fp=0x243c0533f7e8, 
    lhp=0x243bfc1094a8, bp=0x243c05363100) at /usr/src/usr.sbin/ppp/fsm.c:496
#3  0x00002433db2dffd0 in fsm_Input (fp=fp@entry=0x243c0533f7e8, 
    bp=bp@entry=0x243c05363100) at /usr/src/usr.sbin/ppp/fsm.c:1096
#4  0x00002433db2ebd0c in lcp_Input (bundle=<optimized out>, 
    l=<optimized out>, bp=0x243c05363100) at /usr/src/usr.sbin/ppp/lcp.c:1305
#5  0x00002433db2ee16c in Despatch (
    bundle=0x2433db3144b0 <bundle_Create.bundle>, l=0x243c0533f600, 
    bp=0x243c05363100, proto=<optimized out>)
    at /usr/src/usr.sbin/ppp/link.c:381
#6  link_PullPacket (l=0x243c0533f600, buf=<optimized out>, 
    len=<optimized out>, b=0x2433db3144b0 <bundle_Create.bundle>)
    at /usr/src/usr.sbin/ppp/link.c:323
#7  0x00002433db2c7e25 in bundle_DescriptorRead (d=<optimized out>, 
    bundle=0x2433db3144b0 <bundle_Create.bundle>, fdset=0x243c0536a140)
    at /usr/src/usr.sbin/ppp/bundle.c:546
#8  0x00002433db2f1704 in DoLoop (bundle=0x2433db3144b0 <bundle_Create.bundle>)
    at /usr/src/usr.sbin/ppp/main.c:661
#9  main (argc=3, argv=<optimized out>) at /usr/src/usr.sbin/ppp/main.c:535

(gdb) print/x *opt
$2 = {hdr = {id = 0x13, len = 0x2}, data = {0x0, 0x6, 0x13, 0x2, 0x13, 0x2, 
    0x6b, 0x94, 0xa5 <repeats 42 times>}}