Re: pppoe(4) - if authkey '' then runaway strlen

Tue, 28 Jun 2011 21:06:49 -0700 

This patch compiles and fixes the problem.  Thanks.

On Tue, 28 Jun 2011, Ted Unangst wrote:
> On Tue, 28 Jun 2011, Paul Stoeber wrote:
> 
> > If I follow the example in the pppoe(4) manual with
> >     authkey ''
> > then I get this:
> > uvm_fault(0xd0a3abe0, 0x0, 0, 1) -> e
> > kernel: page fault trap, code=0
> > Stopped at  strlen+0xd:     repne scasb     (%esi)
> > ddb> trace
> > strlen(d156d000,4e09e430,db33de00,d0203171,0) at strlen+0xd
> > sppp_pap_open(d156d000,d5cde368,2,db33de74,d5cde300) at sppp_pap_open+0x5d
> > sppp_lcp_tlu(d156d000,d156d000,d5cde300,d0203171,60) at sppp_lcp_tlu+0x106
> > sppp_input(d156d000,d5cde300,d5cde300,ff28,3c) at sppp_input+0x464
> > pppoeintr(d0203171,d1500940,db33df14,d057cd5f,0) at pppoeintr+0x423
> > netintr(0,1,d151dc80,0,d02020b2) at netintr+0x95
> > softintr_dispatch(1) at softintr_dispatch+0x4f
> > Xsoftnet() at Xsoftnet+0x12
> > --- interrupt ---
> > cpu_idle_cycle(d0af76c0) at cpu_idle_cycle+0xf
> > Bad frame pointer: 0xd0bafe48
> > 
> > It doesn't happen with authkey 'x'
> > (my provider doesn't care about the password).
> 
> try the patch below.  It looks simplest to just always assume the secret 
> pointer is set, rather than fixing all the references to deal with null.
> 
> Index: if_spppsubr.c
> ===================================================================
> RCS file: /home/tedu/cvs/src/sys/net/if_spppsubr.c,v
> retrieving revision 1.87
> diff -u -r1.87 if_spppsubr.c
> --- if_spppsubr.c     18 Jun 2011 23:52:49 -0000      1.87
> +++ if_spppsubr.c     28 Jun 2011 18:51:00 -0000
> @@ -3796,8 +3796,7 @@
>               /* Compute reply value. */
>               MD5Init(&ctx);
>               MD5Update(&ctx, &h->ident, 1);
> -             MD5Update(&ctx, sp->myauth.secret,
> -                       strlen(sp->myauth.secret));
> +             MD5Update(&ctx, sp->myauth.secret, strlen(sp->myauth.secret));
>               MD5Update(&ctx, value, value_len);
>               MD5Final(digest, &ctx);
>               dsize = sizeof digest;
> @@ -3915,8 +3914,7 @@
>  
>               MD5Init(&ctx);
>               MD5Update(&ctx, &h->ident, 1);
> -             MD5Update(&ctx, sp->hisauth.secret,
> -                       strlen(sp->hisauth.secret));
> +             MD5Update(&ctx, sp->hisauth.secret, strlen(sp->hisauth.secret));
>               MD5Update(&ctx, sp->chap_challenge, AUTHCHALEN);
>               MD5Final(digest, &ctx);
>  
> @@ -5124,6 +5122,10 @@
>                               strlcpy(p, spa->secret, len);
>                               if (auth->secret != NULL)
>                                       free(auth->secret, M_DEVBUF);
> +                             auth->secret = p;
> +                     } else if (!auth->secret) {
> +                             p = malloc(1, M_DEVBUF, M_WAITOK);
> +                             p[0] = '\0';
>                               auth->secret = p;
>                       }
>               }

Reply via email to