Skip to content
Permalink
Browse files Browse the repository at this point in the history
l2tp: fix RCE through buffer overflow & fix LE/BE compatibility
Unsufficent checks of valid l2tp header & avp length cause possible
RCE through buffer overflow, reported by https://github.com/WinMin
swings & leommxj, Chaitin Security Research Lab. Add missed header
length and avp length validation to fix the issue.

Order of struct bitfields is implementation-defined so current code
doesn't play well with big-endian arch. switch to explicit flag bit
checking/gathering to fix the issue.

RFC 2661 and 3931 requires that length, seqeuence flags must be set
and offset flag must not be set, so avp-premissive can't help in
this cases.
  • Loading branch information
themiron committed Sep 5, 2020
1 parent 38b6104 commit 2324bcd
Show file tree
Hide file tree
Showing 2 changed files with 126 additions and 108 deletions.
31 changes: 12 additions & 19 deletions accel-pppd/ctrl/l2tp/l2tp_prot.h
Expand Up @@ -5,17 +5,16 @@

#define L2TP_PORT 1701

#define L2TP_FLAG_T 0x8000
#define L2TP_FLAG_L 0x4000
#define L2TP_FLAG_S 0x0800
#define L2TP_FLAG_O 0x0200
#define L2TP_FLAG_P 0x0100
#define L2TP_VER_MASK 0x000f

struct l2tp_hdr_t
{
uint8_t P:1;
uint8_t O:1;
uint8_t reserved2:1;
uint8_t S:1;
uint8_t reserved1:2;
uint8_t L:1;
uint8_t T:1;
uint8_t ver:4;
uint8_t reserved3:4;
uint16_t flags;
uint16_t length;
union {
struct {
Expand All @@ -28,18 +27,13 @@ struct l2tp_hdr_t
uint16_t Nr;
} __attribute__((packed));

/*#define L2TP_T(hdr) (hdr->flags >> 15)
#define L2TP_L(hdr) ((hdr->flags >> 14) & 1)
#define L2TP_S(hdr) ((hdr->flags >> 10) & 1)
#define L2TP_O(hdr) ((hdr->flags >> 8) & 1)
#define L2TP_VER(hdr) (hdr->flags & 0xf)*/
#define L2TP_AVP_FLAG_M 0x8000
#define L2TP_AVP_FLAG_H 0x4000
#define L2TP_AVP_LEN_MASK 0x03ff

struct l2tp_avp_t
{
uint16_t length:10;
uint16_t reserved:4;
uint16_t H:1;
uint16_t M:1;
uint16_t flags;
uint16_t vendor;
uint16_t type;
uint8_t val[0];
Expand All @@ -53,4 +47,3 @@ struct l2tp_avp_result_code
} __attribute__((packed));

#endif

0 comments on commit 2324bcd

Please sign in to comment.