bngblaster
bngblaster copied to clipboard
L2TP unhide with padding not working
Describe the bug
I'm using a Juniper MX with PPPoE PAP as LAC and BNGBlaster as LNS, but I get the error message, that AVP 33 cannot be decrypted. This seems to be related to this code: https://github.com/rtbrick/bngblaster/blob/2ba5a782d72b04f554a64c32cc4cc83c734e00e2/code/bngblaster/src/bbl_l2tp_avp.c#L207
len
contains the Original Attribute length
. However, the AVP length must not be len + 2
, because there can be a random padding as specified in RFC2661 https://www.rfc-editor.org/rfc/rfc2661.html#section-4.3. The issue occurs because the Juniper MX sends the AVP 33 with padding.
The mentioned length check is about the length after decryption, which must be less or equal to the encrypted AVP length.
https://github.com/rtbrick/bngblaster/blob/2ba5a782d72b04f554a64c32cc4cc83c734e00e2/code/bngblaster/src/bbl_l2tp_avp.c#L207
I added some debug (-l debug) logs in dev
branch to better understand the issue.
Thanks! I just tried the branch and get the following output.
Aug 31 19:07:26.053434 L2TP Debug (LNS1) ZLB received from 172.17.0.2
Aug 31 19:07:26.953665 L2TP Debug (LNS1) ICRQ received from 172.17.0.2
Aug 31 19:07:27.007594 L2TP Debug (LNS1) ZLB received from 172.17.0.2
Aug 31 19:07:27.009297 L2TP Debug (LNS1) ICCN received from 172.17.0.2
Aug 31 19:07:27.009935 L2TP Error (LNS1) Decrypted length 37475 > AVP length 31
Would it be possible to send PCAP and secret to [email protected]? Then I can try to decrypt manually to see what's wrong.
Fixed in dev
branch (15c5e0f187d8612d1983d9f99efb8d4821446f18).
This issue is fixed with 0.7.12 but would recommend to install 0.7.14.