From c3710b6bca55450339bd882207eaf180d5674dab Mon Sep 17 00:00:00 2001 From: Guillaume Nault Date: Wed, 7 Nov 2018 19:28:58 +0100 Subject: ipcp: fix uninitialised memory access when negociating *-NBNS-Address When handling the EV_WINS event, IPCP assumes that the ->wins1 and ->wins2 fields of the event structure are properly set. But that may not be the case. If only one of the MS-Primary-NBNS-Server or MS-Secondary-NBNS-Server RADIUS attributes was received, then only ->wins1 or ->wins2 is set, while the other keeps a non initialised value. This uninitialised value is then copied by ev_wins() and proposed to the peer when negociating the Primary-NBNS-Address or Secondary-NBNS-Address IPCP options. That leaks four bytes of the stack to the network and prevents using the values found in the [wins] section of accel-ppp.conf as fallback. Fix this by initialising the whole event structure in rad_proc_attrs(). Then, in ev_wins(), we can check if ->wins1 or ->wins2 is properly set before copying them. That allows to propery fallback to accel-ppp.conf values when one of the values was not provided by RADIUS. Signed-off-by: Guillaume Nault --- accel-pppd/ppp/ipcp_opt_wins.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) (limited to 'accel-pppd/ppp/ipcp_opt_wins.c') diff --git a/accel-pppd/ppp/ipcp_opt_wins.c b/accel-pppd/ppp/ipcp_opt_wins.c index c9a3bb5c..da4dc9ba 100644 --- a/accel-pppd/ppp/ipcp_opt_wins.c +++ b/accel-pppd/ppp/ipcp_opt_wins.c @@ -151,11 +151,15 @@ static void ev_wins(struct ev_wins_t *ev) ppp = container_of(ev->ses, typeof(*ppp), ses); - wins_opt = container_of(ipcp_find_option(ppp, &wins1_opt_hnd), typeof(*wins_opt), opt); - wins_opt->addr = ev->wins1; + if (ev->wins1) { + wins_opt = container_of(ipcp_find_option(ppp, &wins1_opt_hnd), typeof(*wins_opt), opt); + wins_opt->addr = ev->wins1; + } - wins_opt = container_of(ipcp_find_option(ppp, &wins2_opt_hnd), typeof(*wins_opt), opt); - wins_opt->addr = ev->wins2; + if (ev->wins2) { + wins_opt = container_of(ipcp_find_option(ppp, &wins2_opt_hnd), typeof(*wins_opt), opt); + wins_opt->addr = ev->wins2; + } } static void load_config(void) -- cgit v1.2.3