diff options
author | Vladislav Grishenko <themiron@mail.ru> | 2020-09-06 02:38:35 +0500 |
---|---|---|
committer | Vladislav Grishenko <themiron@mail.ru> | 2020-09-06 02:38:35 +0500 |
commit | 2324bcd5ba12cf28f47357a8f03cd41b7c04c52b (patch) | |
tree | 27edebeda3209ef2435f2840a975f515085d2b6e /accel-pppd/ctrl/l2tp/l2tp_prot.h | |
parent | 38b6104538522caf140796982e79db334aecaa08 (diff) | |
download | accel-ppp-2324bcd5ba12cf28f47357a8f03cd41b7c04c52b.tar.gz accel-ppp-2324bcd5ba12cf28f47357a8f03cd41b7c04c52b.zip |
l2tp: fix RCE through buffer overflow & fix LE/BE compatibility
Unsufficent checks of valid l2tp header & avp length cause possible
RCE through buffer overflow, reported by https://github.com/WinMin
swings & leommxj, Chaitin Security Research Lab. Add missed header
length and avp length validation to fix the issue.
Order of struct bitfields is implementation-defined so current code
doesn't play well with big-endian arch. switch to explicit flag bit
checking/gathering to fix the issue.
RFC 2661 and 3931 requires that length, seqeuence flags must be set
and offset flag must not be set, so avp-premissive can't help in
this cases.
Diffstat (limited to 'accel-pppd/ctrl/l2tp/l2tp_prot.h')
-rw-r--r-- | accel-pppd/ctrl/l2tp/l2tp_prot.h | 31 |
1 files changed, 12 insertions, 19 deletions
diff --git a/accel-pppd/ctrl/l2tp/l2tp_prot.h b/accel-pppd/ctrl/l2tp/l2tp_prot.h index 559b29cf..75cc87fa 100644 --- a/accel-pppd/ctrl/l2tp/l2tp_prot.h +++ b/accel-pppd/ctrl/l2tp/l2tp_prot.h @@ -5,17 +5,16 @@ #define L2TP_PORT 1701 +#define L2TP_FLAG_T 0x8000 +#define L2TP_FLAG_L 0x4000 +#define L2TP_FLAG_S 0x0800 +#define L2TP_FLAG_O 0x0200 +#define L2TP_FLAG_P 0x0100 +#define L2TP_VER_MASK 0x000f + struct l2tp_hdr_t { - uint8_t P:1; - uint8_t O:1; - uint8_t reserved2:1; - uint8_t S:1; - uint8_t reserved1:2; - uint8_t L:1; - uint8_t T:1; - uint8_t ver:4; - uint8_t reserved3:4; + uint16_t flags; uint16_t length; union { struct { @@ -28,18 +27,13 @@ struct l2tp_hdr_t uint16_t Nr; } __attribute__((packed)); -/*#define L2TP_T(hdr) (hdr->flags >> 15) -#define L2TP_L(hdr) ((hdr->flags >> 14) & 1) -#define L2TP_S(hdr) ((hdr->flags >> 10) & 1) -#define L2TP_O(hdr) ((hdr->flags >> 8) & 1) -#define L2TP_VER(hdr) (hdr->flags & 0xf)*/ +#define L2TP_AVP_FLAG_M 0x8000 +#define L2TP_AVP_FLAG_H 0x4000 +#define L2TP_AVP_LEN_MASK 0x03ff struct l2tp_avp_t { - uint16_t length:10; - uint16_t reserved:4; - uint16_t H:1; - uint16_t M:1; + uint16_t flags; uint16_t vendor; uint16_t type; uint8_t val[0]; @@ -53,4 +47,3 @@ struct l2tp_avp_result_code } __attribute__((packed)); #endif - |