[RP-PPPoE] Use-after-free in kernel mode plugin?
Bartos-Elekes Zsolt
muszi at kite.hu
Tue Jan 31 10:19:43 EST 2017
Hi all,
Freeing connection info in plugin.c:PPPOEDisconnectDevice() results in
use-after-free. conn is malloc()-ed in PPPOEInitDevice(), which is called only
once by pppd on initialization (PHASE_INITIALIZE). If the connection is closed
by the peer, and pppd's "persist" option is in effect, pppd tries to reconnect,
but might not succeed because conn is already free()d.
Use-after-free can be is easily detected if you set conn=NULL after freeing it
in PPPOEDisconnectDevice() and checking for conn==NULL in PPPOEConnectDevice().
Here is my pppd config file:
nodetach
plugin rp-pppoe.so
nic-eth_pci3
mtu 1492
mru 1492
default-asyncmap
user "username"
noauth
unit 0
noipdefault
ipcp-accept-local
ipcp-accept-remote
# defaultroute
# usepeerdns
persist
maxfail 0
holdoff 2
lcp-echo-interval 10
lcp-echo-failure 3
maxconnect 5
I get the following log:
Plugin rp-pppoe.so loaded.
RP-PPPoE plugin version 3.12 compiled against pppd 2.4.6
pppd 2.4.6 started by root, uid 0
PPP session is 116 (0x74)
Connected to 00:1f:c6:34:c7:46 via interface eth_pci3
Using interface ppp0
Connect: ppp0 <--> eth_pci3
PAP authentication succeeded
peer from calling number 00:1F:C6:34:C7:46 authorized
local IP address 172.16.1.116
remote IP address 172.16.1.255
Connect time expired
Connect time 5 seconds (0 days 0:00:05)
Sent 0 bytes, received 0 bytes.
Connection terminated.
Can't get MTU for Ŕ#025<#002: No such device
Can't get MTU for Ŕ#025<#002: No such device
Can't get MTU for Ŕ#025<#002: No such device
Can't get MTU for Ŕ#025<#002: No such device
Terminating on signal 2
Exit.
--
Best regards,
Zsolt
More information about the RP-PPPoE
mailing list