Re: pppoe(4) - if authkey '' then runaway strlen

Tue, 28 Jun 2011 11:54:21 -0700 

On Tue, 28 Jun 2011, Paul Stoeber wrote:

> If I follow the example in the pppoe(4) manual with
>     authkey ''
> then I get this:
> uvm_fault(0xd0a3abe0, 0x0, 0, 1) -> e
> kernel: page fault trap, code=0
> Stopped at    strlen+0xd:     repne scasb     (%esi)
> ddb> trace
> strlen(d156d000,4e09e430,db33de00,d0203171,0) at strlen+0xd
> sppp_pap_open(d156d000,d5cde368,2,db33de74,d5cde300) at sppp_pap_open+0x5d
> sppp_lcp_tlu(d156d000,d156d000,d5cde300,d0203171,60) at sppp_lcp_tlu+0x106
> sppp_input(d156d000,d5cde300,d5cde300,ff28,3c) at sppp_input+0x464
> pppoeintr(d0203171,d1500940,db33df14,d057cd5f,0) at pppoeintr+0x423
> netintr(0,1,d151dc80,0,d02020b2) at netintr+0x95
> softintr_dispatch(1) at softintr_dispatch+0x4f
> Xsoftnet() at Xsoftnet+0x12
> --- interrupt ---
> cpu_idle_cycle(d0af76c0) at cpu_idle_cycle+0xf
> Bad frame pointer: 0xd0bafe48
> 
> It doesn't happen with authkey 'x'
> (my provider doesn't care about the password).

try the patch below.  It looks simplest to just always assume the secret 
pointer is set, rather than fixing all the references to deal with null.

Index: if_spppsubr.c
===================================================================
RCS file: /home/tedu/cvs/src/sys/net/if_spppsubr.c,v
retrieving revision 1.87
diff -u -r1.87 if_spppsubr.c
--- if_spppsubr.c       18 Jun 2011 23:52:49 -0000      1.87
+++ if_spppsubr.c       28 Jun 2011 18:51:00 -0000
@@ -3796,8 +3796,7 @@
                /* Compute reply value. */
                MD5Init(&ctx);
                MD5Update(&ctx, &h->ident, 1);
-               MD5Update(&ctx, sp->myauth.secret,
-                         strlen(sp->myauth.secret));
+               MD5Update(&ctx, sp->myauth.secret, strlen(sp->myauth.secret));
                MD5Update(&ctx, value, value_len);
                MD5Final(digest, &ctx);
                dsize = sizeof digest;
@@ -3915,8 +3914,7 @@
 
                MD5Init(&ctx);
                MD5Update(&ctx, &h->ident, 1);
-               MD5Update(&ctx, sp->hisauth.secret,
-                         strlen(sp->hisauth.secret));
+               MD5Update(&ctx, sp->hisauth.secret, strlen(sp->hisauth.secret));
                MD5Update(&ctx, sp->chap_challenge, AUTHCHALEN);
                MD5Final(digest, &ctx);
 
@@ -5124,6 +5122,10 @@
                                strlcpy(p, spa->secret, len);
                                if (auth->secret != NULL)
                                        free(auth->secret, M_DEVBUF);
+                               auth->secret = p;
+                       } else if (!auth->secret) {
+                               p = malloc(1, M_DEVBUF, M_WAITOK);
+                               p[0] = '\0';
                                auth->secret = p;
                        }
                }

Reply via email to