https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=271805
Bug ID: 271805
Summary: off-by-one error in protoname() in ppp's lcp.c -> bad
pointer dereference
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: bin
Assignee: [email protected]
Reporter: [email protected]
Attachment #242575 text/plain
mime type:
Created attachment 242575
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=242575&action=edit
crash ppp by tripping over an off-by-one error in protoname()
In /usr/src/usr.sbin/ppp/lcp.c, in protoname():
if (proto > sizeof cftypes / sizeof *cftypes || cftypes[proto] == NULL)
return HexStr(proto, NULL, 0);
I think it should be >= rather than >.
I've attached a demo program, which produces a crash with this backtrace:
#0 strlen () at /usr/src/lib/libc/amd64/string/strlen.S:47
#1 0x000022d936d7ba23 in __vfprintf (fp=0x22d931e9c888, locale=0x22d936e3b278
<__xlocale_global_locale>, fmt0=0x22d111d89c2f " %s[%d]", ap=0x22d931e9c9c0)
at /usr/src/lib/libc/stdio/vfprintf.c:854
#2 0x000022d936d78ab0 in snprintf (str=0x22d931e9cae0 "\035", n=19,
fmt=0x22d111d89c2f " %s[%d]") at /usr/src/lib/libc/stdio/snprintf.c:74
#3 0x000022d111dc24da in LcpDecodeConfig (fp=0x22d93917b7e8, cp=0x22d93919f237
'\245' <repeats 200 times>...,
end=0x22d93919f16c "\377\377\377\377\377\377\377\377\263Ä¥", '\245'
<repeats 137 times>, mode_type=0, dec=0x22d931e9cd50) at
/usr/src/usr.sbin/ppp/lcp.c:683
#4 0x000022d111db68f6 in FsmRecvConfigReq (fp=0x22d93917b7e8,
lhp=0x22d931e9cee8, bp=0x22d93919f100) at /usr/src/usr.sbin/ppp/fsm.c:496
#5 0x000022d111db5fd0 in fsm_Input (fp=fp@entry=0x22d93917b7e8,
bp=bp@entry=0x22d93919f100) at /usr/src/usr.sbin/ppp/fsm.c:1096
#6 0x000022d111dc1d0c in lcp_Input (bundle=<optimized out>, l=<optimized out>,
bp=0x22d93919f100) at /usr/src/usr.sbin/ppp/lcp.c:1305
#7 0x000022d111dc416c in Despatch (bundle=0x22d111dea4b0
<bundle_Create.bundle>, l=0x22d93917b600, bp=0x22d93919f100, proto=<optimized
out>) at /usr/src/usr.sbin/ppp/link.c:381
#8 link_PullPacket (l=0x22d93917b600, buf=<optimized out>, len=<optimized
out>, b=0x22d111dea4b0 <bundle_Create.bundle>) at
/usr/src/usr.sbin/ppp/link.c:323
#9 0x000022d111d9de25 in bundle_DescriptorRead (d=<optimized out>,
bundle=0x22d111dea4b0 <bundle_Create.bundle>, fdset=0x22d9391a6140) at
/usr/src/usr.sbin/ppp/bundle.c:546
#10 0x000022d111dc7704 in DoLoop (bundle=0x22d111dea4b0 <bundle_Create.bundle>)
at /usr/src/usr.sbin/ppp/main.c:661
#11 main (argc=3, argv=<optimized out>) at /usr/src/usr.sbin/ppp/main.c:535
--
You are receiving this mail because:
You are the assignee for the bug.
