pppd: Be careful not to access beyond end of EAP packets#582
Merged
Conversation
In the EAP code there are a few places where we could read beyond the end of the received data in a malformed packet received from the peer. Because the received packet is in the statically-allocated inpacket_buf, and because EAP packets can only have a limited number of fields of limited size, these accesses would be within the bounds of inpacket_buf, not to unallocated data. Furthermore the data read were not disclosed to the peer and didn't affect the operation of pppd beyond being printed in log messages. Hence the security impact of these accesses is low, and in fact they don't appear to create any actual vulnerability. Nevertheless it is better to be careful, so this adds extra checks to make sure we never read beyond the end of the received data. Thanks to Kazuma Matsumoto, a security researcher at GMO Cybersecurity by IERAE, Inc., for finding this. Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
In the EAP code there are a few places where we could read beyond the end of the received data in a malformed packet received from the peer. Because the received packet is in the statically-allocated inpacket_buf, and because EAP packets can only have a limited number of fields of limited size, these accesses would be within the bounds of inpacket_buf, not to unallocated data. Furthermore the data read were not disclosed to the peer and didn't affect the operation of pppd beyond being printed in log messages. Hence the security impact of these accesses is low, and in fact they don't appear to create any actual vulnerability. Nevertheless it is better to be careful, so this adds extra checks to make sure we never read beyond the end of the received data.
Thanks to Kazuma Matsumoto, a security researcher at GMO Cybersecurity by IERAE, Inc., for finding this.