Open yarda opened 1 week ago
This was found by static analysis. I don't know whether it's possible to exploit it, but as the ZLIB compressed input data can be altered, I think there should be a sanity check:
The h is initialized to -1, i.e. no tables at https://github.com/ppp-project/ppp/blob/master/pppdump/zlib.c#L1326, but later at https://github.com/ppp-project/ppp/blob/master/pppdump/zlib.c#L1415 the x[h] is dereferenced which in case there are still no tables could be probably x[-1] i.e. invalid memory access.
h
-1
x[h]
x[-1]
ppp-2.5.0
yarda
commented
1 week ago
This was found by static analysis. I don't know whether it's possible to exploit it, but as the ZLIB compressed input data can be altered, I think there should be a sanity check:
The
his initialized to-1, i.e. no tables at https://github.com/ppp-project/ppp/blob/master/pppdump/zlib.c#L1326, but later at https://github.com/ppp-project/ppp/blob/master/pppdump/zlib.c#L1415 thex[h]is dereferenced which in case there are still no tables could be probablyx[-1]i.e. invalid memory access.