Modify

Opened 4 years ago

Closed 4 years ago

#17296 closed defect (fixed)

pppd fatal signal 11, when receive MS chap auth

Reported by: chenxiawei@… Owned by: developers
Priority: normal Milestone: Chaos Calmer 15.05
Component: packages Version: Trunk
Keywords: pppd Cc:

Description

Hi All,

i run pppd as a pppoe client, and windows raspppoe as server, pppd that segmentfault.

version: trunk 41631
mt7620n + mips + pppd-2.4.6

i found that at file 'chap_ms.c'
inside function "chapms2_make_response"
defined "unsigned char auth_response[MS_AUTH_RESPONSE_LENGTH];"

but
->ChapMS2->GenerateAuthenticatorResponsePlain->GenerateAuthenticatorResponse

required "u_char authResponse[MS_AUTH_RESPONSE_LENGTH+1]"

and

for (i = 0; i < MAX((MS_AUTH_RESPONSE_LENGTH / 2), sizeof(Digest)); i++)

sprintf((char *)&authResponse[i * 2], "%02X", Digest[i]);

the 'sprintf' may add a trail '\0' at the end of authResponse, and make it buffer overflow.

Does it need to define array
unsigned char auth_response[MS_AUTH_RESPONSE_LENGTH]
as
unsigned char auth_response[MS_AUTH_RESPONSE_LENGTH + 1] ??

Attachments (0)

Change History (7)

comment:1 follow-up: Changed 4 years ago by Polydeukes

I have the same problem (/ticket/17297.html).

Have you tried to recompile pppd with that change in "chap_ms.c"?

comment:2 in reply to: ↑ 1 ; follow-up: Changed 4 years ago by chenxiawei@…

Replying to Polydeukes:

I have the same problem (/ticket/17297.html).

Have you tried to recompile pppd with that change in "chap_ms.c"?

Yes, it seems works.

comment:3 in reply to: ↑ 2 Changed 4 years ago by Polydeukes

Replying to chenxiawei@…:

Replying to Polydeukes:

I have the same problem (/ticket/17297.html).

Have you tried to recompile pppd with that change in "chap_ms.c"?

Yes, it seems works.

+1
I recompiled the ppp package with your fix and it works.

Last edited 4 years ago by Polydeukes (previous) (diff)

comment:4 follow-up: Changed 4 years ago by anonymous

That erroneous code has actually been inserted by the last ever commit to that file, so it has never been there long before the release of that version:
https://github.com/paulusmack/ppp/commits/master/pppd/chap_ms.c
https://github.com/paulusmack/ppp/commit/08ef47ca532294eb428238c831616748940e24a2

comment:5 in reply to: ↑ 4 Changed 4 years ago by Polydeukes

Replying to anonymous:

That erroneous code has actually been inserted by the last ever commit to that file, so it has never been there long before the release of that version:
https://github.com/paulusmack/ppp/commits/master/pppd/chap_ms.c
https://github.com/paulusmack/ppp/commit/08ef47ca532294eb428238c831616748940e24a2

That code is two years ago, isn't it? I have OpenWRT PPTP clients running up to trunk R41508 release...

comment:6 Changed 4 years ago by cyrus

FYI: I reported this upstream https://github.com/paulusmack/ppp/issues/12

comment:7 Changed 4 years ago by blogic

  • Resolution set to fixed
  • Status changed from new to closed

r41882 should fix the issue. please try that rev or a newer one

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.