ppp icon indicating copy to clipboard operation
ppp copied to clipboard

Published 20 hours ago verified publisher icon ppp-project

pppdump/zlib.c: possible invalid array index

Open yarda opened this issue 1 year ago • 1 comments

This was found by static analysis. I don't know whether it's possible to exploit it, but as the ZLIB compressed input data can be altered, I think there should be a sanity check:

The h is initialized to -1, i.e. no tables at https://github.com/ppp-project/ppp/blob/master/pppdump/zlib.c#L1326, but later at https://github.com/ppp-project/ppp/blob/master/pppdump/zlib.c#L1415 the x[h] is dereferenced which in case there are still no tables could be probably x[-1] i.e. invalid memory access.

yarda avatar Jun 24 '24 13:06 yarda

ppp-2.5.0

yarda avatar Jun 24 '24 13:06 yarda

@paulusmack: Have you seen this ticket?

Neustradamus avatar Jul 11 '24 20:07 Neustradamus

I'm tempted just to remove pppdump, or at least remove the support for decoding compressed packets. It's not clear to me that anyone still uses compression at the PPP level.

paulusmack avatar Aug 17 '24 00:08 paulusmack

I removed the support for decoding compressed packets.

paulusmack avatar Aug 20 '24 07:08 paulusmack