[tw] - fixed out of bounds memory access, possible DOS

This commit is contained in:
Thomas Woerner 2004-11-02 14:55:59 +00:00
parent bd62245173
commit 88aa92b454
2 changed files with 148 additions and 1 deletions

142
ppp-2.4.1-pkgcheck.patch Normal file
View File

@ -0,0 +1,142 @@
--- ppp-2.4.1/pppd/cbcp.c.pkgcheck 2004-11-02 14:19:23.000000000 +0100
+++ ppp-2.4.1/pppd/cbcp.c 2004-11-02 15:04:06.000000000 +0100
@@ -150,7 +150,8 @@
inp = inpacket;
if (pktlen < CBCP_MINLEN) {
- error("CBCP packet is too small");
+ if (debug)
+ dbglog("CBCP packet is too small");
return;
}
@@ -158,12 +159,11 @@
GETCHAR(id, inp);
GETSHORT(len, inp);
-#if 0
- if (len > pktlen) {
- error("CBCP packet: invalid length");
+ if (len > pktlen || len < CBCP_MINLEN) {
+ if (debug)
+ dbglog("CBCP packet: invalid length %d", len);
return;
}
-#endif
len -= CBCP_MINLEN;
@@ -174,11 +174,12 @@
break;
case CBCP_RESP:
- dbglog("CBCP_RESP received");
+ if (debug)
+ dbglog("CBCP_RESP received");
break;
case CBCP_ACK:
- if (id != us->us_id)
+ if (debug && id != us->us_id)
dbglog("id doesn't match: expected %d recv %d",
us->us_id, id);
@@ -297,11 +298,13 @@
address[0] = 0;
- while (len) {
+ while (len >= 2) {
dbglog("length: %d", len);
GETCHAR(type, pckt);
GETCHAR(opt_len, pckt);
+ if (opt_len < 2 || opt_len > len)
+ break;
if (opt_len > 2)
GETCHAR(delay, pckt);
@@ -333,6 +336,11 @@
}
len -= opt_len;
}
+ if (len != 0) {
+ if (debug)
+ dbglog("cbcp_recvreq: malformed packet (%d bytes left)", len);
+ return;
+ }
cbcp_resp(us);
}
@@ -345,6 +353,7 @@
u_char buf[256];
u_char *bufp = buf;
int len = 0;
+ int slen;
cb_type = us->us_allowed & us->us_type;
dbglog("cbcp_resp cb_type=%d", cb_type);
@@ -356,12 +365,17 @@
if (cb_type & ( 1 << CB_CONF_USER ) ) {
dbglog("cbcp_resp CONF_USER");
+ slen = strlen(us->us_number);
+ if (slen > 250) {
+ warn("callback number truncated to 250 characters");
+ slen = 250;
+ }
PUTCHAR(CB_CONF_USER, bufp);
- len = 3 + 1 + strlen(us->us_number) + 1;
+ len = 3 + 1 + slen + 1;
PUTCHAR(len , bufp);
PUTCHAR(5, bufp); /* delay */
PUTCHAR(1, bufp);
- BCOPY(us->us_number, bufp, strlen(us->us_number) + 1);
+ BCOPY(us->us_number, bufp, slen + 1);
cbcp_send(us, CBCP_RESP, buf, len);
return;
}
@@ -424,25 +438,29 @@
int opt_len;
char address[256];
- if (len) {
+ if (len >= 2) {
GETCHAR(type, pckt);
GETCHAR(opt_len, pckt);
- if (opt_len > 2)
- GETCHAR(delay, pckt);
+ if (opt_len >= 2 && opt_len <= len) {
+ if (opt_len > 2)
+ GETCHAR(delay, pckt);
- if (opt_len > 4) {
- GETCHAR(addr_type, pckt);
- memcpy(address, pckt, opt_len - 4);
- address[opt_len - 4] = 0;
- if (address[0])
- dbglog("peer will call: %s", address);
- }
- if (type == CB_CONF_NO)
- return;
- }
+ if (opt_len > 4) {
+ GETCHAR(addr_type, pckt);
+ memcpy(address, pckt, opt_len - 4);
+ address[opt_len - 4] = 0;
+ if (address[0])
+ dbglog("peer will call: %s", address);
+ }
+ if (type == CB_CONF_NO)
+ return;
- cbcp_up(us);
+ cbcp_up(us);
+
+ } else if (debug)
+ dbglog("cbcp_recvack: malformed packet");
+ }
}
/* ok peer will do callback */

View File

@ -1,7 +1,7 @@
Summary: The PPP (Point-to-Point Protocol) daemon.
Name: ppp
Version: 2.4.2
Release: 6.3
Release: 7
License: distributable
Group: System Environment/Daemons
Source0: ftp://ftp.samba.org/pub/ppp/ppp-%{version}.tar.gz
@ -25,6 +25,7 @@ Patch14: ppp-2.4.2-argv.patch
Patch15: ppp-2.4.2-pppoatm.patch
Patch16: ppp-2.4.2-pppoatm-mtu.patch
Patch17: ppp-2.4.2-pppoatm-make.patch
Patch18: ppp-2.4.1-pkgcheck.patch
BuildRoot: %{_tmppath}/%{name}-root
BuildPrereq: pam-devel, libpcap
@ -59,6 +60,7 @@ organization over a modem and phone line.
%patch15 -p1 -b .atm
%patch16 -p1 -b .atm-mtu
%patch17 -p1 -b .atm-make
%patch18 -p1 -b .pkgcheck
find . -type f -name "*.sample" | xargs rm -f
@ -117,6 +119,9 @@ rm -rf $RPM_BUILD_ROOT
%changelog
* Tue Nov 2 2004 Thomas Woerner <twoerner@redhat.com> 2.4.2-7
- fixed out of bounds memory access, possible DOS
* Thu Oct 7 2004 David Woodhouse <dwmw2@redhat.com> 2.4.2-6.3
- Fix use of 'demand' without explicit MTU/MRU with pppoatm