l2tp: fix RCE through buffer overflow & fix LE/BE compatibility - accel-ppp.git - High performance PPTP/L2TP/SSTP/PPPoE/IPoE server for Linux (mirror of https://github.com/marekm72/accel-ppp.git)

diff options

author	Vladislav Grishenko <themiron@mail.ru>	2020-09-06 02:38:35 +0500
committer	Vladislav Grishenko <themiron@mail.ru>	2020-09-06 02:38:35 +0500
commit	2324bcd5ba12cf28f47357a8f03cd41b7c04c52b (patch)
tree	27edebeda3209ef2435f2840a975f515085d2b6e /accel-pppd/ctrl/ipoe/dhcpv4.c
parent	38b6104538522caf140796982e79db334aecaa08 (diff)
download	accel-ppp-2324bcd5ba12cf28f47357a8f03cd41b7c04c52b.tar.gz accel-ppp-2324bcd5ba12cf28f47357a8f03cd41b7c04c52b.zip

l2tp: fix RCE through buffer overflow & fix LE/BE compatibility

Unsufficent checks of valid l2tp header & avp length cause possible RCE through buffer overflow, reported by https://github.com/WinMin swings & leommxj, Chaitin Security Research Lab. Add missed header length and avp length validation to fix the issue. Order of struct bitfields is implementation-defined so current code doesn't play well with big-endian arch. switch to explicit flag bit checking/gathering to fix the issue. RFC 2661 and 3931 requires that length, seqeuence flags must be set and offset flag must not be set, so avp-premissive can't help in this cases.

Diffstat (limited to 'accel-pppd/ctrl/ipoe/dhcpv4.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: