[src/trunk]: src/sys/net Do not allocate mbuf clusters when the caller (erone...

[martin <martin%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/97850c5cf74d
branches:  trunk
changeset: 365945:97850c5cf74d
user:      martin <martin%NetBSD.org@localhost>
date:      Wed May 04 14:30:04 2022 +0000

description:
Do not allocate mbuf clusters when the caller (eroneously) asks
for more than MCLBYTES size, instead fail the allocation.

When we have received multiple PADO offer packets in the discovery
phase, do not combine tags from different packets. We are supposed
to pick one PADO packet and continue session establishment with that.

The second bug could cause code to trigger the first and create
invalid response packets and also overwrite data outside of
the allocated mbuf cluster.

Fixes CVE-2022-29867.

diffstat:

 sys/net/if_pppoe.c |  15 +++++++++++++--
 1 files changed, 13 insertions(+), 2 deletions(-)

diffs (50 lines):

diff -r a49369e9403e -r 97850c5cf74d sys/net/if_pppoe.c
--- a/sys/net/if_pppoe.c        Wed May 04 11:27:54 2022 +0000
+++ b/sys/net/if_pppoe.c        Wed May 04 14:30:04 2022 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: if_pppoe.c,v 1.178 2021/10/11 05:13:11 knakahara Exp $ */
+/* $NetBSD: if_pppoe.c,v 1.179 2022/05/04 14:30:04 martin Exp $ */
 
 /*
  * Copyright (c) 2002, 2008 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_pppoe.c,v 1.178 2021/10/11 05:13:11 knakahara Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_pppoe.c,v 1.179 2022/05/04 14:30:04 martin Exp $");
 
 #ifdef _KERNEL_OPT
 #include "pppoe.h"
@@ -958,6 +958,10 @@
                        }
                        sc->sc_ac_cookie_len = ac_cookie_len;
                        memcpy(sc->sc_ac_cookie, ac_cookie, ac_cookie_len);
+               } else if (sc->sc_ac_cookie) {
+                       free(sc->sc_ac_cookie, M_DEVBUF);
+                       sc->sc_ac_cookie = NULL;
+                       sc->sc_ac_cookie_len = 0;
                }
                if (relay_sid) {
                        if (sc->sc_relay_sid)
@@ -972,6 +976,10 @@
                        }
                        sc->sc_relay_sid_len = relay_sid_len;
                        memcpy(sc->sc_relay_sid, relay_sid, relay_sid_len);
+               } else if (sc->sc_relay_sid) {
+                       free(sc->sc_relay_sid, M_DEVBUF);
+                       sc->sc_relay_sid = NULL;
+                       sc->sc_relay_sid_len = 0;
                }
                memcpy(&sc->sc_dest, eh->ether_shost, sizeof sc->sc_dest);
                callout_stop(&sc->sc_timeout);
@@ -1418,6 +1426,9 @@
 {
        struct mbuf *m;
 
+       if (len + sizeof(struct ether_header) > MCLBYTES)
+               return NULL;
+
        MGETHDR(m, M_DONTWAIT, MT_DATA);
        if (m == NULL)
                return NULL;