New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Abnormal packet sequence can cause stack-buffer-underflow #158
Comments
|
To make clear the reason of the crash, we added some debug information to see the value of diff --git a/accel-pppd/ctrl/pptp/pptp.c b/accel-pppd/ctrl/pptp/pptp.c
index a5bcaca..89e4b78 100644
--- a/accel-pppd/ctrl/pptp/pptp.c
+++ b/accel-pppd/ctrl/pptp/pptp.c
@@ -145,6 +145,8 @@ again:
}
}
}
+ log_info2("[debug] n: %d\n", n);
+ log_info2("[debug] errno: %d\n", errno);
if ( n<size ) {
memcpy(conn->out_buf, (uint8_t *)buf + n, size - n);
then the server log becomes: From above, we can infer that, the code doesn't handle the situation when accel-ppp/accel-pppd/ctrl/pptp/pptp.c Lines 135 to 152 in 1b8711c
The return value of accel-ppp/accel-pppd/ctrl/pptp/pptp.c Line 150 in 1b8711c
|
I think the error handling code of `post_msg` is wrongly implemented due to coding typo. The `EPIPE` should be also considered and then return -1, just like `PPTP_write`: https://github.com/xebd/accel-ppp/blob/1b8711cf75a7c278d99840112bc7a396398e0205/accel-pppd/ctrl/pptp/pptp.c#L539-L570 This pr fixes xebd#158.
Using version
accel-ppp version 1.12.0-149-gff91c73.Summary
Sending
PPTP Call Clear RequestPacket afterPPTP Start Control Connection RequestandPPTP Outgoing Call Requestto server can causestack-buffer-underflow.PoC
Here is the detailed information of sent packets:
Hint: the
call_idfield is randomly generated thus directly forwarding those three packets might not reproduce the scene. To reproduce it, it's neccessary to construct similar packets.Crash report
log of server:
Here is the asan report:
Reproduce info
Build
access-ppp:Run
access-pppd, use the following command:The running configuration
/etc/accel-ppp.confis:use
chap-secretsand the/etc/ppp/chap-secrets.pppis as follows:The text was updated successfully, but these errors were encountered: