Full Disclosure mailing list archives
bss-based buffer overflow in l2tpd
From: Thomas Walpuski <thomas-bugtraq () unproved org>
Date: Fri, 4 Jun 2004 18:53:52 +0000
All versions of l2tpd contain a bss-based buffer overflow. After circumventing some minor obstacles (i.e., faking a L2TP tunnel establishment) the overflow can be triggered by sending a specially crafted packet. The crucial code can be found in write_packet() in control.c: static unsigned char wbuf[MAX_RECV_SIZE]; int pos = 0; [..] e = PPP_FLAG; wbuf[pos++] = e; for (x = 0; x < buf->len; x++) { e = *((char *) buf->start + x); if ((e < 0x20) || (e == PPP_ESCAPE) || (e == PPP_FLAG)) { /* Escape this */ e = e ^ 0x20; wbuf[pos++] = PPP_ESCAPE; } wbuf[pos++] = e; } wbuf[pos++] = PPP_FLAG; Nota bene: buf->len can be upto 4080 = 4096 (=: MAX_RECV_SIZE) - 16. It might be hard or even impossible to exploit this buffer overflow. Thomas Walpuski _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- bss-based buffer overflow in l2tpd Thomas Walpuski (Jun 04)