Open GoldBinocle opened 3 years ago
To make clear the reason of the crash, we added some debug information to see the value of n
and errno
before memcpy
:
diff --git a/accel-pppd/ctrl/pptp/pptp.c b/accel-pppd/ctrl/pptp/pptp.c
index a5bcaca..89e4b78 100644
--- a/accel-pppd/ctrl/pptp/pptp.c
+++ b/accel-pppd/ctrl/pptp/pptp.c
@@ -145,6 +145,8 @@ again:
}
}
}
+ log_info2("[debug] n: %d\n", n);
+ log_info2("[debug] errno: %d\n", errno);
if ( n<size ) {
memcpy(conn->out_buf, (uint8_t *)buf + n, size - n);
then the server log becomes:
[2021-10-20 21:06:25.367] accel-ppp version 1.12.0-149-gff91c73
[2021-10-20 21:06:25.393] pptp: iprange module disabled, improper IP configuration of PPP interfaces may cause kernel soft lockup
[2021-10-20 21:06:25.394] l2tp: iprange module disabled, improper IP configuration of PPP interfaces may cause kernel soft lockup
[2021-10-20 21:06:25.446] pptp: new connection from 127.0.0.1
[2021-10-20 21:06:25.447] : : recv [PPTP Start-Ctrl-Conn-Request <Version 1> <Framing 3> <Bearer 3> <Max-Chan 65535>]
[2021-10-20 21:06:25.447] : : send [PPTP Start-Ctrl-Conn-Reply <Version 1> <Result 1> <Error 0> <Framing 3> <Bearer 3> <Max-Chan 1>]
[2021-10-20 21:06:25.447] [debug] n: 156
[2021-10-20 21:06:25.447] [debug] errno: 11
[2021-10-20 21:06:26.447] : : recv [PPTP Outgoing-Call-Request <Call-ID 8203> <Call-Serial 0> <Min-BPS 2400> <Max-BPS 10000000> <Bearer 3> <Framing 3> <Window-Size 3> <Delay 0>]
[2021-10-20 21:06:26.447] : : send [PPTP Outgoing-Call-Reply <Call-ID 8e1c> <Peer-Call-ID 8203> <Result 1> <Error 0> <Cause 0> <Speed 10000000> <Window-Size 3> <Delay 0> <Channel 0>]
[2021-10-20 21:06:26.448] [debug] n: 32
[2021-10-20 21:06:26.448] [debug] errno: 11
[2021-10-20 21:06:26.448] : : lcp_layer_init
[2021-10-20 21:06:26.448] : : auth_layer_init
[2021-10-20 21:06:26.448] : : ccp_layer_init
[2021-10-20 21:06:26.448] : : ipcp_layer_init
[2021-10-20 21:06:26.448] : : ipv6cp_layer_init
[2021-10-20 21:06:26.448] : : ppp establishing
[2021-10-20 21:06:26.449] : 78a9b1ca764827a7: lcp_layer_start
[2021-10-20 21:06:26.449] : 78a9b1ca764827a7: send [LCP ConfReq id=f9 <auth MSCHAP-v2> <mru 1400> <magic 3b7f6329>]
[2021-10-20 21:06:26.922] terminate, sig = 15
[2021-10-20 21:06:26.922] : 78a9b1ca764827a7: terminate
[2021-10-20 21:06:26.922] : 78a9b1ca764827a7: lcp_layer_finish
[2021-10-20 21:06:26.922] : 78a9b1ca764827a7: pptp: ppp finished
[2021-10-20 21:06:26.922] : 78a9b1ca764827a7: send [PPTP Call-Disconnect-Notify <Call-ID 382> <Result 3> <Error 0> <Cause 0>]
[2021-10-20 21:06:26.923] [debug] n: 148
[2021-10-20 21:06:26.923] [debug] errno: 11
[2021-10-20 21:06:26.923] : 78a9b1ca764827a7: send [PPTP Stop-Ctrl-Conn-Request <Reason 0>]
[2021-10-20 21:06:26.923] [debug] n: -1
[2021-10-20 21:06:26.923] [debug] errno: 32
From above, we can infer that, the code doesn't handle the situation when write
fails due to EPIPE
:
https://github.com/xebd/accel-ppp/blob/1b8711cf75a7c278d99840112bc7a396398e0205/accel-pppd/ctrl/pptp/pptp.c#L135-L152
The return value of write
is -1
(thus n=-1
), causing underflow read of buf
:
https://github.com/xebd/accel-ppp/blob/1b8711cf75a7c278d99840112bc7a396398e0205/accel-pppd/ctrl/pptp/pptp.c#L150
Using version
accel-ppp version 1.12.0-149-gff91c73
.Summary
Sending
PPTP Call Clear Request
Packet afterPPTP Start Control Connection Request
andPPTP Outgoing Call Request
to server can causestack-buffer-underflow
.PoC
Here is the detailed information of sent packets:
Hint: the
call_id
field is randomly generated thus directly forwarding those three packets might not reproduce the scene. To reproduce it, it's neccessary to construct similar packets.Crash report
log of server:
Here is the asan report:
Reproduce info
Build
access-ppp
:Run
access-pppd
, use the following command:The running configuration
/etc/accel-ppp.conf
is:use
chap-secrets
and the/etc/ppp/chap-secrets.ppp
is as follows: