| Age | Commit message (Collapse) | Author |
|---|
|
|
|
leftover after 09f73dab273989c6f36efe548c4b5e83d83b5416
|
|
|
|
|
|
|
|
Some bugfixes found by cppcheck
|
|
|
|
Starting program: /usr/sbin/accel-pppd -c /etc/accel-ppp/accel-ppp.conf
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/libthread_db.so.1".
[New Thread 0xb7ad9b40 (LWP 24563)]
[New Thread 0xb72d8b40 (LWP 24566)]
[New Thread 0xb6ad7b40 (LWP 24567)]
[New Thread 0xb60ffb40 (LWP 24569)]
[New Thread 0xb58feb40 (LWP 24570)]
[New Thread 0xb50fdb40 (LWP 24572)]
[New Thread 0xb48fcb40 (LWP 24573)]
conf_file:/etc/accel-ppp/accel-ppp.conf:93: no section opened
memory corruption:
malloc(10) at /var/tmp/portage/net-dialup/accel-ppp-9999/work/accel-ppp-9999/accel-pppd/triton/conf_file.c:117
free at /var/tmp/portage/net-dialup/accel-ppp-9999/work/accel-ppp-9999/accel-pppd/triton/conf_file.c:193
*** Error in `/usr/sbin/accel-pppd': corrupted double-linked list: 0xb61018c8 ***
Thread 3 "accel-pppd" received signal SIGABRT, Aborted.
[Switching to Thread 0xb72d8b40 (LWP 24566)]
0xb7fdc428 in __kernel_vsyscall ()
(gdb) bt full
No symbol table info available.
No symbol table info available.
No symbol table info available.
at /var/tmp/portage/net-dialup/accel-ppp-9999/work/accel-ppp-9999/accel-pppd/memdebug.c:90
mem = 0xb61018d0
r = 0
ctx = {fname = 0xb7fda1c4 <sections> "D\036ПЁт!\020╤╓R\005─\\m\005──", file = 0xfa8c7f2b, line = 108205909, items = 0x0}
sect = 0x8002f1bf <log_switch>
r = -2147097804
sections_bak = {next = 0xb3d01554, prev = 0xb3d016ec}
t = 0xb7ff2750
r = 4
set = {__val = {516, 0 <repeats 31 times>}}
sig = 10
need_free = 0
stack = 0x0
No symbol table info available.
No symbol table info available.
|
|
|
|
[accel-pppd/cli/tcp.c:305]: (error) Uninitialized variable: cln
[accel-pppd/cli/telnet.c:642]: (error) Uninitialized variable: cln
[accel-pppd/ctrl/l2tp/l2tp.c:4302]: (error) Uninitialized variable: msg_attr
[accel-pppd/ctrl/l2tp/l2tp.c:4484]: (error) Uninitialized variable: msg_type
[accel-pppd/ctrl/pppoe/disc.c:169]: (error) Uninitialized variable: n
[accel-pppd/ctrl/pppoe/pppoe.c:1588]: (error) Uninitialized variable: pado
|
|
[accel-pppd/ctrl/ipoe/ipoe.c:4054]: (style) A pointer can not be negative so it is either pointless or an error to check if it is not.
[accel-pppd/logs/log_syslog.c:148]: (error) Array 'facility_name[9]' accessed at index 35, which is out of bounds.
[accel-pppd/lua/session.c:274]: (error) Common realloc mistake: 'mods' nulled but not freed upon failure
[accel-pppd/extra/ippool.c:114]: (warning) %u in format string (no. 1) requires 'unsigned int *' but the argument type is 'int *'.
[accel-pppd/extra/ippool.c:114]: (warning) %u in format string (no. 2) requires 'unsigned int *' but the argument type is 'int *'.
[accel-pppd/extra/ippool.c:114]: (warning) %u in format string (no. 3) requires 'unsigned int *' but the argument type is 'int *'.
[accel-pppd/extra/ippool.c:114]: (warning) %u in format string (no. 4) requires 'unsigned int *' but the argument type is 'int *'.
[accel-pppd/extra/ippool.c:114]: (warning) %u in format string (no. 5) requires 'unsigned int *' but the argument type is 'int *'.
[accel-pppd/extra/ippool.c:141]: (warning) %u in format string (no. 1) requires 'unsigned int *' but the argument type is 'int *'.
[accel-pppd/extra/ippool.c:141]: (warning) %u in format string (no. 2) requires 'unsigned int *' but the argument type is 'int *'.
[accel-pppd/extra/ippool.c:141]: (warning) %u in format string (no. 3) requires 'unsigned int *' but the argument type is 'int *'.
[accel-pppd/extra/ippool.c:141]: (warning) %u in format string (no. 4) requires 'unsigned int *' but the argument type is 'int *'.
[accel-pppd/extra/ippool.c:141]: (warning) %u in format string (no. 5) requires 'unsigned int *' but the argument type is 'int *'.
[accel-pppd/main.c:97]: (warning) %d in format string (no. 1) requires 'int *' but the argument type is 'unsigned int *'.
[accel-pppd/radius/radius.c:687] -> [accel-pppd/radius/radius.c:690]: (warning) Possible null pointer dereference: rpd - otherwise it is redundant to check it against null.
[accel-pppd/radius/serv.c:805] -> [accel-pppd/radius/serv.c:829]: (warning) Possible null pointer dereference: ptr2 - otherwise it is redundant to check it against null.
[accel-pppd/radius/serv.c:813] -> [accel-pppd/radius/serv.c:829]: (warning) Possible null pointer dereference: ptr2 - otherwise it is redundant to check it against null.
[accel-pppd/radius/serv.c:823] -> [accel-pppd/radius/serv.c:829]: (warning) Possible null pointer dereference: ptr2 - otherwise it is redundant to check it against null.
|
|
|
|
|
|
|
|
|
|
cli/telnet: fix crash on damaged history file.
|
|
|
|
small check for zero buffer length on load history
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Unsufficent checks of valid l2tp header & avp length cause possible
RCE through buffer overflow, reported by https://github.com/WinMin
swings & leommxj, Chaitin Security Research Lab. Add missed header
length and avp length validation to fix the issue.
Order of struct bitfields is implementation-defined so current code
doesn't play well with big-endian arch. switch to explicit flag bit
checking/gathering to fix the issue.
RFC 2661 and 3931 requires that length, seqeuence flags must be set
and offset flag must not be set, so avp-premissive can't help in
this cases.
|
|
|
|
|
|
|
|
|
|
lcp auth doesn't take into account auth extra bytes
for lcp request buffer allocation for chap/mschap/mschapv2
protocols, so last byte corrupts memory with undefined behavior
incl. crash.
|
|
magic value of 65535 reported to have thoughput issues on unreliable
transports (3G/4G), so let it be configurable.
zero value means use system defaults:
[sstp]
sndbuf=0
rvcbuf=0
|
|
|
|
|
|
|
|
|
|
3.3.2.1 Negotiation Timer
When establishing the SSTP connection, the SSTP server starts the negotiation timer.
2. After sending the Call Connect Acknowledge message, if the server does not receive a Call
Connected message before the Negotiation timer expires then it MUST send a Call Abort message
and start the process of bringing down (disconnecting) the connection. The server MAY implement
different timer values for the Call Connected message and the Call Connect Request message.
3.3.7.1 Server-Side Interface with PPP
When the server receives a PPP data frame from the PPP layer, the server MUST perform the
following steps:
* If CurrentState is set to Server_Call_Connected: Generate an SSTP data
packet (section 2.2.3) with the PPP frame as the higher-layer payload and send the packet to
the HTTPS layer.
* Else, drop the PPP frame.
sstp-client is known to be broken, it doesn't send SSTP_MSG_CALL_CONNECTED with
PAP and CHAP-MD5 auth, no network data flow and disconnect by negotiation timer
is expected.
|
|
sstp-client sends SSTP_MSG_CALL_CONNECTED message too early,
before auth response, so HLAK can't be known yet and subsequent
HLAK-based validation fails.
workaround the issue by defer accepting SSTP_MSG_CALL_CONNECTED
after auth either has been succeeded or bypassed.
|
|
|
|
|
|
|
|
refer #6 for modre details.
|
|
|
|
|
|
If Delegated-IPv6-Prefix was received in Access-Accept message, it is
necessary to send it in radacct Start message
|
|
|
|
|
|
Check for length in pppoe tags
|
|
|
|
T13: Fix build procedure
|
