ipcp: fix uninitialised memory access when negociating *-NBNS-Address

When handling the EV_WINS event, IPCP assumes that the ->wins1 and ->wins2 fields of the event structure are properly set. But that may not be the case. If only one of the MS-Primary-NBNS-Server or MS-Secondary-NBNS-Server RADIUS attributes was received, then only ->wins1 or ->wins2 is set, while the other keeps a non initialised value. This uninitialised value is then copied by ev_wins() and proposed to the peer when negociating the Primary-NBNS-Address or Secondary-NBNS-Address IPCP options. That leaks four bytes of the stack to the network and prevents using the values found in the [wins] section of accel-ppp.conf as fallback. Fix this by initialising the whole event structure in rad_proc_attrs(). Then, in ev_wins(), we can check if ->wins1 or ->wins2 is properly set before copying them. That allows to propery fallback to accel-ppp.conf values when one of the values was not provided by RADIUS. Signed-off-by: N Guillaume Nault <g.nault@alphalink.fr>

ipcp: fix uninitialised memory access when negociating *-NBNS-Address
When handling the EV_WINS event, IPCP assumes that the ->wins1 and ->wins2 fields of the event structure are properly set. But that may not be the case. If only one of the MS-Primary-NBNS-Server or MS-Secondary-NBNS-Server RADIUS attributes was received, then only ->wins1 or ->wins2 is set, while the other keeps a non initialised value. This uninitialised value is then copied by ev_wins() and proposed to the peer when negociating the Primary-NBNS-Address or Secondary-NBNS-Address IPCP options. That leaks four bytes of the stack to the network and prevents using the values found in the [wins] section of accel-ppp.conf as fallback. Fix this by initialising the whole event structure in rad_proc_attrs(). Then, in ev_wins(), we can check if ->wins1 or ->wins2 is properly set before copying them. That allows to propery fallback to accel-ppp.conf values when one of the values was not provided by RADIUS. Signed-off-by: N Guillaume Nault <g.nault@alphalink.fr>
c3710b6b · Guillaume Nault · Dmitry Kozlov · 1c40018e · c3710b6b · c3710b6b
隐藏空白更改
内联并排

Showing with 9 addition and 6 deletion

accel-pppd/ppp/ipcp_opt_wins.c accel-pppd/ppp/ipcp_opt_wins.c +8 -4

accel-pppd/radius/radius.c accel-pppd/radius/radius.c +1 -2

未找到文件。
--- a/accel-pppd/ppp/ipcp_opt_wins.c
+++ b/accel-pppd/ppp/ipcp_opt_wins.c
@@ -151,11 +151,15 @@ static void ev_wins(struct ev_wins_t *ev)

 	ppp = container_of(ev->ses, typeof(*ppp), ses);

-	wins_opt = container_of(ipcp_find_option(ppp, &wins1_opt_hnd), typeof(*wins_opt), opt);
-	wins_opt->addr = ev->wins1;
+	if (ev->wins1) {
+		wins_opt = container_of(ipcp_find_option(ppp, &wins1_opt_hnd), typeof(*wins_opt), opt);
+		wins_opt->addr = ev->wins1;
+	}

-	wins_opt = container_of(ipcp_find_option(ppp, &wins2_opt_hnd), typeof(*wins_opt), opt);
-	wins_opt->addr = ev->wins2;
+	if (ev->wins2) {
+		wins_opt = container_of(ipcp_find_option(ppp, &wins2_opt_hnd), typeof(*wins_opt), opt);
+		wins_opt->addr = ev->wins2;
+	}
 }

 static void load_config(void)

--- a/accel-pppd/radius/radius.c
+++ b/accel-pppd/radius/radius.c
@@ -148,14 +148,13 @@ out_err:

 int rad_proc_attrs(struct rad_req_t *req)
 {
+	struct ev_wins_t wins = {};
 	struct ev_dns_t dns = {};
 	struct rad_attr_t *attr;
 	struct ipv6db_addr_t *a;
-	struct ev_wins_t wins;
 	int res = 0;
 	struct radius_pd_t *rpd = req->rpd;

-	wins.ses = NULL;
 	req->rpd->acct_interim_interval = conf_acct_interim_interval;

 	list_for_each_entry(attr, &req->reply->attrs, entry) {