NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
bin/49477: Please pull this fix to releng. PPPD cores when connecting using PPTP. It fails with stack overflow
>Number: 49477
>Category: bin
>Synopsis: Please pull this fix to releng. PPPD cores when connecting using PPTP. It fails with stack overflow
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Dec 16 03:20:00 +0000 2014
>Originator: Jose Luis Rodriguez Garcia
>Release: NetBSD 7
>Organization:
>Environment:
NetBSD pc2 7.0_BETA NetBSD 7.0_BETA (DRMKMS.201412112210Z) amd64
>Description:
Please pull this pullup-7 to releng for the netbsd7 release.
--- src/external/bsd/ppp/dist/pppd/chap_ms.c.orig 2014-12-13 02:48:09.000000000 +0100
+++ src/external/bsd/ppp/dist/pppd/chap_ms.c 2014-12-13 02:48:50.000000000 +0100
@@ -391,7 +391,7 @@
unsigned char *private)
{
const struct chapms2_response_cache_entry *cache_entry;
- unsigned char auth_response[MS_AUTH_RESPONSE_LENGTH];
+ unsigned char auth_response[MS_AUTH_RESPONSE_LENGTH+1];
challenge++; /* skip length, should be 16 */
*response++ = MS_CHAP2_RESPONSE_LEN;
When I try to connect to a pptp site using pptp client, the pppd server fails with this error in /var/log/messages:
....
rcvd [CHAP Challenge id=0x0 <8a9deb8ead02184f6620be79ea3534ab>, name = "VPNESMA1"]
added response cache entry 0
[1] Abort trap (core dumped) /usr/pkg/sbin/pp...
with this error in /var/log/messages:
Dec 16 03:52:51 pc2 -: pc2 pppd - - - stack overflow detected; terminated
It is the ssp: smash stack protection that detects an array overflow.
The output from gdb:
Core was generated by `pppd'.
Program terminated with signal SIGABRT, Aborted.
#0 0x00007f7ff650d2da in _lwp_kill () from /usr/lib/libc.so.12
(gdb) bt full
#0 0x00007f7ff650d2da in _lwp_kill () from /usr/lib/libc.so.12
No symbol table info available.
#1 0x00007f7ff64f3552 in ?? () from /usr/lib/libc.so.12
No symbol table info available.
#2 0x00007f7ff64f356c in __stack_chk_fail () from /usr/lib/libc.so.12
No symbol table info available.
#3 0x0000000000412c66 in chapms2_make_response (
response=0x7f7fffffd779 "\247\237\372\340<\352\363\234\314M\271l\305\316d0", id=0,
our_name=0x6516c0 <user> "iberia\\T03456",
challenge=0x650aa9 <inpacket_buf+9> "\212\235\353\216\255\002\030Of \276y\352\065\064\253VPNESMA1\313\230\021Q\200z\352kJ", secret=0x7f7fffffd660 "MyPasswordxx", secret_len=12, private=0x64d438 <client+24> "")
at /usr/src/external/bsd/ppp/dist/pppd/chap_ms.c:412
cache_entry = 0x0
auth_response = "59047C34039B2614121170407F633C0AEFC43571"
#4 0x0000000000411e94 in chap_respond (cs=0x64d420 <client>, id=0,
pkt=0x650aa8 <inpacket_buf+8> "\020\212\235\353\216\255\002\030Of \276y\352\065\064\253VPNESMA1\313\230\021Q\200z\352kJ", len=25) at /usr/src/external/bsd/ppp/dist/pppd/chap-new.c:477
clen = 16
nlen = 8
secret_len = 12
p = 0x7f7fffffd778 "1\247\237\372\340<\352\363\234\314M\271l\305\316d0"
response = "\377\003\302#\000\000\000\000\061\247\237\372\340<\352\363\234\314M\271l\305\316d0\000\000\000\000\000\000\000\000\256\360\363\251\261\204\360wv\203l#2\000\342j\217\361\031&p\333\203\246\000\000\000\000\000\000\000\200\217d\000\000\000\000\000 \324d\000\000\000\000\000\020\330\377\377\177\177\000\000?\226@\000\000\000\000\000\020\330\377\377\177\177\000\000kP;\352\030\302\331\347\320\330\377\377\177\177\000\000}\\C\000\000\000\000\000`\003e\000\000\000\000\000p\022D\000\000\000\000\000\300\003e\000\000\000\000\000 \000\000\000\060\000\000\000\340\330\377\377\177\177\000\000 \330\377\377\177\177\000\000`\330\377\377\177\177\000\000j\332C\000\000\000\000\000\240\ne\000\000\000\000\000"...
rname = "pptp-tecnocom", '\000' <repeats 43 times>, "\f\000\000\000\000\000\000\000\020\331\377\377\177\177\000\000\000\000\000\000\000\000\000\000\032\300C\366\177\177\000\000@\331\377\377\177\177\000\000P\320\261\367\177\177\000\000\020\331\377\377\177\177\000\000\006\002\000\000\000\000\000\000\360\331\377\377\177\177\000\000\320\277@\000\000\000\000\000T\204\021\367\177\177\000\000\320\277@\000\000\000\000\000\060\331\377\377\177\177\000\000\340\377\377\377\177\177\000\000\004", '\000' <repeats 23 times>, "?\000\000\000\000\000\000\000"..
.............
In the chapms2_make_response function it calls ChapMS2(..,auth_response,...)-->GenerateAuthenticateResponsePlain(....,authResponse)->GenerateAuthenticatorResponse(...,authResponse)
In GenerateAuthenticatorResponsePlain, functions the parameter authResponse is definied as u_char authResponse[MS_AUTH_RESPONSE_LENGTH+1] instead of
unsigned char auth_response[MS_AUTH_RESPONSE_LENGTH] as defined in the functions chapms2_make_response function. There is stack overflow of 1 byte.
In the function GenerateAuthenticatorResponse writes up to MS_AUTH_REPONSE_LENGTH characers plus one \0 for end the string using a for with snprintf.
In netbsd-curent the definition of the array is correct: unsigned char auth_response[MS_AUTH_RESPONSE_LENGTH+1];
http://cvsweb.netbsd.org/bsdweb.cgi/src/external/bsd/ppp/dist/pppd/chap_ms.c?rev=1.4&content-type=text/x-cvsweb-markup&only_with_tag=MAIN (function chapms2_make_response)
>How-To-Repeat:
Make a ppptp connection in NetBSD 7
>Fix:
--- src/external/bsd/ppp/dist/pppd/chap_ms.c.orig 2014-12-13 02:48:09.000000000 +0100
+++ src/external/bsd/ppp/dist/pppd/chap_ms.c 2014-12-13 02:48:50.000000000 +0100
@@ -391,7 +391,7 @@
unsigned char *private)
{
const struct chapms2_response_cache_entry *cache_entry;
- unsigned char auth_response[MS_AUTH_RESPONSE_LENGTH];
+ unsigned char auth_response[MS_AUTH_RESPONSE_LENGTH+1];
challenge++; /* skip length, should be 16 */
*response++ = MS_CHAP2_RESPONSE_LEN;
Home |
Main Index |
Thread Index |
Old Index