Headline
CVE-2020-7466: MPD: FreeBSD PPP daemon / Bugs
The PPP implementation of MPD before 5.9 allows a remote attacker who can send specifically crafted PPP authentication message to cause the daemon to read beyond allocated memory buffer, which would result in a denial of service condition.
Hello,
I find a memory corruption vulnerability in ppp protocol.
The vulnerability is in the AuthInput function of the auth.c file, which has the following code:
bp = mbread(bp, &fsmh, sizeof(fsmh));
if (len > ntohs(fsmh.length))
len = ntohs(fsmh.length);
len -= sizeof(fsmh);
// If fsmh.length is less than sizeof(fsmh), then the ‘len’ will overflow.
There is no check here whether ‘fsmh.length’ is less than 'sizeof(fsmh)'.
After ‘len’ reaches an overflow, code execute to the EapInput->EapRadiusProxy function.
In the EapRadiusProxy function, there are the following lines of code:
auth->params.eapmsg = Malloc(MB_AUTH, len + sizeof(lh));
//len + sizeof(lh) integer overflow
memcpy(auth->params.eapmsg, &lh, sizeof(lh));
memcpy(&auth->params.eapmsg[sizeof(lh)], pkt, len);
//buffer overflow
len + sizeof(lh) will integer overflow again.
Caused to allocate a length of insufficient buffer, and then memcpy caused buffer overflow.