summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDenys Fedoryshchenko <denys.f@collabora.com>2026-07-06 11:28:53 +0300
committerDenys Fedoryshchenko <denys.f@collabora.com>2026-07-06 11:28:53 +0300
commit2ba4437b88dc54ebc5dea6ba1c2007b9cd4aa0e0 (patch)
tree232a8f10c98ffe9adb52bda71ff602a03e3451fb
parent5787a45a952c021f697b31abe0063013912d7c8b (diff)
downloadaccel-ppp-2ba4437b88dc54ebc5dea6ba1c2007b9cd4aa0e0.tar.gz
accel-ppp-2ba4437b88dc54ebc5dea6ba1c2007b9cd4aa0e0.zip
pppoe: fix use-after-free in mac_filter_load()
When a mac-filter file line contained an octet > 255, the error path freed the entry but kept writing to it and linked it into mac_list. Validate all octets before allocating so invalid lines are skipped entirely. This is not considered a security vulnerability: the mac-filter file can only be configured by an administrator with access to the daemon config, or the CLI, both of which require privileged access. Fixes #307 Signed-off-by: Denys Fedoryshchenko <denys.f@collabora.com>
-rw-r--r--accel-pppd/ctrl/pppoe/mac_filter.c16
1 files changed, 9 insertions, 7 deletions
diff --git a/accel-pppd/ctrl/pppoe/mac_filter.c b/accel-pppd/ctrl/pppoe/mac_filter.c
index ba78df6b..3a6a00d6 100644
--- a/accel-pppd/ctrl/pppoe/mac_filter.c
+++ b/accel-pppd/ctrl/pppoe/mac_filter.c
@@ -92,15 +92,17 @@ static int mac_filter_load(const char *opt)
log_warn("pppoe: mac-filter:%s:%i: address is invalid\n", name, line);
continue;
}
- mac = _malloc(sizeof(*mac));
for (i = 0; i < ETH_ALEN; i++) {
- if (n[i] > 255) {
- log_warn("pppoe: mac-filter:%s:%i: address is invalid\n", name, line);
- _free(mac);
- continue;
- }
- mac->addr[i] = n[i];
+ if (n[i] > 255)
+ break;
}
+ if (i < ETH_ALEN) {
+ log_warn("pppoe: mac-filter:%s:%i: address is invalid\n", name, line);
+ continue;
+ }
+ mac = _malloc(sizeof(*mac));
+ for (i = 0; i < ETH_ALEN; i++)
+ mac->addr[i] = n[i];
list_add_tail(&mac->entry, &mac_list);
}
pthread_rwlock_unlock(&lock);