- changed status to resolved
N**BSD-SA2022-001 - PPPoE discovery phase memory corruption
Issue #290
resolved
Comments (1)
-
reporter - Log in to comment
BUGFIX: Issue
#290- N**BSD-SA2022-001 PPPoE discovery phase memory corruptionsee more detailed info: https://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2022-001.txt.asc
patch taken from: http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/net/if_pppoe.c?only_with_tag=MAIN#rev1.179
original commit message: Do not allocate mbuf clusters when the caller (eroneously) asks for more than MCLBYTES size, instead fail the allocation.
When we have received multiple PADO offer packets in the discovery phase, do not combine tags from different packets. We are supposed to pick one PADO packet and continue session establishment with that.
The second bug could cause code to trigger the first and create invalid response packets and also overwrite data outside of the allocated mbuf cluster.
Fixes CVE-2022-29867.
→ <<cset 8df69c025936>>