CVS commit: src/sys/net

Wed, 04 May 2022 07:30:24 -0700 

Module Name:    src
Committed By:   martin
Date:           Wed May  4 14:30:04 UTC 2022

Modified Files:
        src/sys/net: if_pppoe.c

Log Message:
Do not allocate mbuf clusters when the caller (eroneously) asks
for more than MCLBYTES size, instead fail the allocation.

When we have received multiple PADO offer packets in the discovery
phase, do not combine tags from different packets. We are supposed
to pick one PADO packet and continue session establishment with that.

The second bug could cause code to trigger the first and create
invalid response packets and also overwrite data outside of
the allocated mbuf cluster.

Fixes CVE-2022-29867.


To generate a diff of this commit:
cvs rdiff -u -r1.178 -r1.179 src/sys/net/if_pppoe.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/net/if_pppoe.c
diff -u src/sys/net/if_pppoe.c:1.178 src/sys/net/if_pppoe.c:1.179
--- src/sys/net/if_pppoe.c:1.178	Mon Oct 11 05:13:11 2021
+++ src/sys/net/if_pppoe.c	Wed May  4 14:30:04 2022
@@ -1,4 +1,4 @@
-/* $NetBSD: if_pppoe.c,v 1.178 2021/10/11 05:13:11 knakahara Exp $ */
+/* $NetBSD: if_pppoe.c,v 1.179 2022/05/04 14:30:04 martin Exp $ */
 
 /*
  * Copyright (c) 2002, 2008 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_pppoe.c,v 1.178 2021/10/11 05:13:11 knakahara Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_pppoe.c,v 1.179 2022/05/04 14:30:04 martin Exp $");
 
 #ifdef _KERNEL_OPT
 #include "pppoe.h"
@@ -958,6 +958,10 @@ breakbreak:;
 			}
 			sc->sc_ac_cookie_len = ac_cookie_len;
 			memcpy(sc->sc_ac_cookie, ac_cookie, ac_cookie_len);
+		} else if (sc->sc_ac_cookie) {
+			free(sc->sc_ac_cookie, M_DEVBUF);
+			sc->sc_ac_cookie = NULL;
+			sc->sc_ac_cookie_len = 0;
 		}
 		if (relay_sid) {
 			if (sc->sc_relay_sid)
@@ -972,6 +976,10 @@ breakbreak:;
 			}
 			sc->sc_relay_sid_len = relay_sid_len;
 			memcpy(sc->sc_relay_sid, relay_sid, relay_sid_len);
+		} else if (sc->sc_relay_sid) {
+			free(sc->sc_relay_sid, M_DEVBUF);
+			sc->sc_relay_sid = NULL;
+			sc->sc_relay_sid_len = 0;
 		}
 		memcpy(&sc->sc_dest, eh->ether_shost, sizeof sc->sc_dest);
 		callout_stop(&sc->sc_timeout);
@@ -1418,6 +1426,9 @@ pppoe_get_mbuf(size_t len)
 {
 	struct mbuf *m;
 
+	if (len + sizeof(struct ether_header) > MCLBYTES)
+		return NULL;
+
 	MGETHDR(m, M_DONTWAIT, MT_DATA);
 	if (m == NULL)
 		return NULL;

Reply via email to