summaryrefslogtreecommitdiff
path: root/accel-pppd/ctrl/l2tp/l2tp_prot.h
diff options
context:
space:
mode:
authorVladislav Grishenko <themiron@mail.ru>2020-09-06 02:38:35 +0500
committerVladislav Grishenko <themiron@mail.ru>2020-09-06 02:38:35 +0500
commit2324bcd5ba12cf28f47357a8f03cd41b7c04c52b (patch)
tree27edebeda3209ef2435f2840a975f515085d2b6e /accel-pppd/ctrl/l2tp/l2tp_prot.h
parent38b6104538522caf140796982e79db334aecaa08 (diff)
downloadaccel-ppp-2324bcd5ba12cf28f47357a8f03cd41b7c04c52b.tar.gz
accel-ppp-2324bcd5ba12cf28f47357a8f03cd41b7c04c52b.zip
l2tp: fix RCE through buffer overflow & fix LE/BE compatibility
Unsufficent checks of valid l2tp header & avp length cause possible RCE through buffer overflow, reported by https://github.com/WinMin swings & leommxj, Chaitin Security Research Lab. Add missed header length and avp length validation to fix the issue. Order of struct bitfields is implementation-defined so current code doesn't play well with big-endian arch. switch to explicit flag bit checking/gathering to fix the issue. RFC 2661 and 3931 requires that length, seqeuence flags must be set and offset flag must not be set, so avp-premissive can't help in this cases.
Diffstat (limited to 'accel-pppd/ctrl/l2tp/l2tp_prot.h')
-rw-r--r--accel-pppd/ctrl/l2tp/l2tp_prot.h31
1 files changed, 12 insertions, 19 deletions
diff --git a/accel-pppd/ctrl/l2tp/l2tp_prot.h b/accel-pppd/ctrl/l2tp/l2tp_prot.h
index 559b29cf..75cc87fa 100644
--- a/accel-pppd/ctrl/l2tp/l2tp_prot.h
+++ b/accel-pppd/ctrl/l2tp/l2tp_prot.h
@@ -5,17 +5,16 @@
#define L2TP_PORT 1701
+#define L2TP_FLAG_T 0x8000
+#define L2TP_FLAG_L 0x4000
+#define L2TP_FLAG_S 0x0800
+#define L2TP_FLAG_O 0x0200
+#define L2TP_FLAG_P 0x0100
+#define L2TP_VER_MASK 0x000f
+
struct l2tp_hdr_t
{
- uint8_t P:1;
- uint8_t O:1;
- uint8_t reserved2:1;
- uint8_t S:1;
- uint8_t reserved1:2;
- uint8_t L:1;
- uint8_t T:1;
- uint8_t ver:4;
- uint8_t reserved3:4;
+ uint16_t flags;
uint16_t length;
union {
struct {
@@ -28,18 +27,13 @@ struct l2tp_hdr_t
uint16_t Nr;
} __attribute__((packed));
-/*#define L2TP_T(hdr) (hdr->flags >> 15)
-#define L2TP_L(hdr) ((hdr->flags >> 14) & 1)
-#define L2TP_S(hdr) ((hdr->flags >> 10) & 1)
-#define L2TP_O(hdr) ((hdr->flags >> 8) & 1)
-#define L2TP_VER(hdr) (hdr->flags & 0xf)*/
+#define L2TP_AVP_FLAG_M 0x8000
+#define L2TP_AVP_FLAG_H 0x4000
+#define L2TP_AVP_LEN_MASK 0x03ff
struct l2tp_avp_t
{
- uint16_t length:10;
- uint16_t reserved:4;
- uint16_t H:1;
- uint16_t M:1;
+ uint16_t flags;
uint16_t vendor;
uint16_t type;
uint8_t val[0];
@@ -53,4 +47,3 @@ struct l2tp_avp_result_code
} __attribute__((packed));
#endif
-