summaryrefslogtreecommitdiff
path: root/accel-pppd
AgeCommit message (Collapse)Author
2020-10-21radius: sanity check for vendor attribute lengthDmitry Kozlov
2020-10-15cli/telnet: fix crash on damaged history file.shumbor
small check for zero buffer length on load history
2020-09-13shaper: fix support for Mikrotik-Rate-Limit with burstsVladislav Grishenko
2020-09-13shaper: fix up/down order for Mikrotik-Rate-LimitVladislav Grishenko
2020-09-13radius: keep vendor & attr numbers in orderVladislav Grishenko
2020-09-11radius: add MikroTik dictionaryVladislav Grishenko
2020-09-11shaper: add support for speed suffixes (B/K/M/G)Vladislav Grishenko
2020-09-06radius: fix crash with l4-redirect with no ipv6 (T23)Vladislav Grishenko
2020-09-06auth/chap-secrets/dhcpv4: fix big-endian arch supportVladislav Grishenko
2020-09-06l2tp: fix RCE through buffer overflow & fix LE/BE compatibilityVladislav Grishenko
Unsufficent checks of valid l2tp header & avp length cause possible RCE through buffer overflow, reported by https://github.com/WinMin swings & leommxj, Chaitin Security Research Lab. Add missed header length and avp length validation to fix the issue. Order of struct bitfields is implementation-defined so current code doesn't play well with big-endian arch. switch to explicit flag bit checking/gathering to fix the issue. RFC 2661 and 3931 requires that length, seqeuence flags must be set and offset flag must not be set, so avp-premissive can't help in this cases.
2020-08-10triton: clear trig_epoll_events after readDmitry Kozlov
2020-08-09ppp: lcp: fix ConfAck and CodeRej log formatVladislav Grishenko
2020-08-09sstp: avoid redundant writes to ppp socketVladislav Grishenko
2020-08-09sstp: switch to async sendingVladislav Grishenko
2020-08-02ppp: lcp: auth: fix one-by-one oveflowVladislav Grishenko
lcp auth doesn't take into account auth extra bytes for lcp request buffer allocation for chap/mschap/mschapv2 protocols, so last byte corrupts memory with undefined behavior incl. crash.
2020-08-01sstp: allow to configure send & receive buffer sizesVladislav Grishenko
magic value of 65535 reported to have thoughput issues on unreliable transports (3G/4G), so let it be configurable. zero value means use system defaults: [sstp] sndbuf=0 rvcbuf=0
2020-08-01sstp: speed up data pathVladislav Grishenko
2020-08-01sstp: use quick linger for closing socketsVladislav Grishenko
2020-07-01sstp: stop being noisy w/o verbose modeVladislav Grishenko
2020-06-29ppp: pppoe: disable iprange checkVladislav Grishenko
2020-06-29sstp: fix MITM w/o SSTP_MSG_CALL_CONNECTED is being sentVladislav Grishenko
3.3.2.1 Negotiation Timer When establishing the SSTP connection, the SSTP server starts the negotiation timer. 2. After sending the Call Connect Acknowledge message, if the server does not receive a Call Connected message before the Negotiation timer expires then it MUST send a Call Abort message and start the process of bringing down (disconnecting) the connection. The server MAY implement different timer values for the Call Connected message and the Call Connect Request message. 3.3.7.1 Server-Side Interface with PPP When the server receives a PPP data frame from the PPP layer, the server MUST perform the following steps: * If CurrentState is set to Server_Call_Connected: Generate an SSTP data packet (section 2.2.3) with the PPP frame as the higher-layer payload and send the packet to the HTTPS layer. * Else, drop the PPP frame. sstp-client is known to be broken, it doesn't send SSTP_MSG_CALL_CONNECTED with PAP and CHAP-MD5 auth, no network data flow and disconnect by negotiation timer is expected.
2020-06-29sstp: fix compound mac validation with broken clientsVladislav Grishenko
sstp-client sends SSTP_MSG_CALL_CONNECTED message too early, before auth response, so HLAK can't be known yet and subsequent HLAK-based validation fails. workaround the issue by defer accepting SSTP_MSG_CALL_CONNECTED after auth either has been succeeded or bypassed.
2020-06-28sstp: fix crypto-binding attr errors loggingVladislav Grishenko
2020-06-09Fix typo in doc file.Eshenko Dmitriy
2020-06-08ipoe: gracefuly terminate denied sessionsVladislav Grishenko
2020-06-06radius: add strip-realm config optionVladislav Grishenko
refer #6 for modre details.
2020-05-21ipv6pool: fix delegated pool ignorance w/o address poolVladislav Grishenko
2020-04-30ipoe: dhcp: add rebind-time supportVladislav Grishenko
2020-04-21Send Delegated-IPv6-Prefix attribute in Accounting-Start messageSergey V. Lobanov
If Delegated-IPv6-Prefix was received in Access-Accept message, it is necessary to send it in radacct Start message
2020-04-13dhcpv4/dhcpv6: improve packet validationVladislav Grishenko
2020-04-10Check for length in pppoe tagsDenys Fedoryshchenko
2020-04-07T13: Fix build procedureDmitriyEshenko
2020-04-07Merge branch 'master' of github.com:xebd/accel-pppDmitry Kozlov
2020-04-07Merge pull request #122 from laarmen/dev/fix/netns_reindexxebd
Refresh interface index when moving to another netns
2020-04-06pptp: T6: Check timer before modifyDmitriyEshenko
2020-04-02Fix radius Framed-IP-Addressstetsyuk
Add htonl to check if Framed-IP-Address==0xFFFFFFFE Ignore 0xFFFFFFFE as Framed-IP-Address in DM/CoA requests
2020-03-18ppp: reset the ifindex when moving back to the default namespaceSimon Chopin
If you move an interface into a namespace where there is alreay an interface with the same index, the moved interface will get a new index assigned to it. We need to update our data structure accordingly. Signed-off-by: Simon Chopin <s.chopin@alphalink.fr>
2020-03-18ifconfig: reset the ifindex when moving namespacesSimon Chopin
If you move an interface into a namespace where there is alreay an interface with the same index, the moved interface will get a new index assigned to it. We need to update our data structure accordingly. Signed-off-by: Simon Chopin <s.chopin@alphalink.fr>
2020-03-18net: new function get_ifindexSimon Chopin
The index of a given interface is an operation that highly depends on the network namespace we're in. This patch simply cuts out a function to get the index for a given interface name from the session initialization code, and expose it in the ap_net structure. This function can then be used to refresh the index when moving interfaces around. Signed-off-by: Simon Chopin <s.chopin@alphalink.fr>
2020-03-10Merge pull request #121 from themiron/max-starting-cleanupxebd
Add global [common]max-starting option
2020-03-10Merge pull request #117 from themiron/echo-opt82xebd
ipoe: dhcpv4: echo back opt82 if sent by client/relay per rfc3046
2020-03-07sstp: fix max-sessions limit was not appliedVladislav Grishenko
2020-03-07session: add global [common]max-starting optionVladislav Grishenko
usually there's no need to have per-proto limitation, since the need of max starting limitation affects the whole server, not particular protocol only.
2020-03-07Revert "ipoe,pptp: introduced max-starting option (limit number of starting ↵Vladislav Grishenko
sessions)" This reverts commit 02008c74a19c538ff7d9ce643c8cd4c738886196.
2020-03-07Revert "pppoe: introduced max-starting option (limit number of starting ↵Vladislav Grishenko
sessions)" This reverts commit 61862862a9fa24db4f16c24db1aed1f1a5f0be19.
2020-02-17Merge pull request #115 from themiron/ipv6-poolxebd
pptp: add ip-pool & ipv6-pool config exmples
2020-02-16ipoe: dhcpv4: echo back opt82 if sent by client/unknown relay per rfc3046Vladislav Grishenko
2020-02-16pptp: add ip-pool & ipv6-pool config exmplesVladislav Grishenko
2020-02-16ipoe: dhcpv4: move relay packet logging after paddingVladislav Grishenko
2020-02-16ipoe: dhcpv4: implement udp csum and padding per rfc1542Vladislav Grishenko
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-14 05:14:10 +0000