tnozaki / NetBSD / issues / #290 - N**BSD-SA2022-001 - PPPoE discovery phase memory corruption

Takehiko NOZAKI reporter

changed status to resolved

BUGFIX: Issue ~~#290~~ - N**BSD-SA2022-001 PPPoE discovery phase memory corruption

see more detailed info: https://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2022-001.txt.asc

patch taken from: http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/net/if_pppoe.c?only_with_tag=MAIN#rev1.179

original commit message: Do not allocate mbuf clusters when the caller (eroneously) asks for more than MCLBYTES size, instead fail the allocation.

When we have received multiple PADO offer packets in the discovery phase, do not combine tags from different packets. We are supposed to pick one PADO packet and continue session establishment with that.

The second bug could cause code to trigger the first and create invalid response packets and also overwrite data outside of the allocated mbuf cluster.

Fixes CVE-2022-29867.

→ <<cset 8df69c025936>>

2022-08-18T02:28:25+00:00

Comments (1)

Takehiko NOZAKI reporter
- changed status to resolved
BUGFIX: Issue ~~#290~~ - N**BSD-SA2022-001 PPPoE discovery phase memory corruption

see more detailed info: https://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2022-001.txt.asc

patch taken from: http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/net/if_pppoe.c?only_with_tag=MAIN#rev1.179

original commit message: Do not allocate mbuf clusters when the caller (eroneously) asks for more than MCLBYTES size, instead fail the allocation.

When we have received multiple PADO offer packets in the discovery phase, do not combine tags from different packets. We are supposed to pick one PADO packet and continue session establishment with that.

The second bug could cause code to trigger the first and create invalid response packets and also overwrite data outside of the allocated mbuf cluster.

Fixes CVE-2022-29867.

→ <<cset 8df69c025936>>
- 2022-08-18T02:28:25+00:00
Log in to comment