L2TP unhide with padding not working

[SoerenBusse]

Describe the bug

I'm using a Juniper MX with PPPoE PAP as LAC and BNGBlaster as LNS, but I get the error message, that AVP 33 cannot be decrypted. This seems to be related to this code: https://github.com/rtbrick/bngblaster/blob/2ba5a782d72b04f554a64c32cc4cc83c734e00e2/code/bngblaster/src/bbl_l2tp_avp.c#L207

len contains the Original Attribute length. However, the AVP length must not be len + 2, because there can be a random padding as specified in RFC2661 https://www.rfc-editor.org/rfc/rfc2661.html#section-4.3. The issue occurs because the Juniper MX sends the AVP 33 with padding.

[GIC-de]

The mentioned length check is about the length after decryption, which must be less or equal to the encrypted AVP length.

https://github.com/rtbrick/bngblaster/blob/2ba5a782d72b04f554a64c32cc4cc83c734e00e2/code/bngblaster/src/bbl_l2tp_avp.c#L207

[GIC-de]

I added some debug (-l debug) logs in dev branch to better understand the issue.

[SoerenBusse]

Thanks! I just tried the branch and get the following output.

Aug 31 19:07:26.053434 L2TP Debug (LNS1) ZLB received from 172.17.0.2
Aug 31 19:07:26.953665 L2TP Debug (LNS1) ICRQ received from 172.17.0.2
Aug 31 19:07:27.007594 L2TP Debug (LNS1) ZLB received from 172.17.0.2
Aug 31 19:07:27.009297 L2TP Debug (LNS1) ICCN received from 172.17.0.2
Aug 31 19:07:27.009935 L2TP Error (LNS1) Decrypted length 37475 > AVP length 31

[GIC-de]

Would it be possible to send PCAP and secret to [email protected]? Then I can try to decrypt manually to see what's wrong.

[GIC-de]

Fixed in dev branch (15c5e0f187d8612d1983d9f99efb8d4821446f18).

[GIC-de]

This issue is fixed with 0.7.12 but would recommend to install 0.7.14.