AMajor/SoftEtherVPN
1
0
Fork 0
mirror of https://github.com/SoftEtherVPN/SoftEtherVPN.git synced 2026-04-17 20:43:11 +03:00
Code Releases Activity

Fix PPP bugs

Browse Source
This commit is contained in:
Evengard
2026-04-05 00:52:10 +03:00
parent 193ebdba12
commit 11fa0a4891
1 changed files with 9 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
src/Cedar/Proto_PPP.c
View File

@@ -3615,6 +3615,8 @@ bool PPPProcessEAPTlsResponse(PPP_SESSION *p, PPP_EAP *eap_packet, UINT eapSize)
dataBuffer = eap_packet->Tls.TlsDataWithLength.Data; dataBuffer = eap_packet->Tls.TlsDataWithLength.Data;
dataSize -= 4; dataSize -= 4;
tlsLength = Endian32(eap_packet->Tls.TlsDataWithLength.TlsLength); tlsLength = Endian32(eap_packet->Tls.TlsDataWithLength.TlsLength);
// Let's just clamp it to a safe size to avoid DoS (GHSA-q5g3-qhc6-pr3h)
tlsLength = MIN(tlsLength, PPP_MRU_MAX * 10);
} }
/*Debug("=======RECV EAP-TLS PACKET DUMP=======\n"); /*Debug("=======RECV EAP-TLS PACKET DUMP=======\n");
for (i = 0; i < dataSize; i++) for (i = 0; i < dataSize; i++)
@@ -3659,9 +3661,12 @@ bool PPPProcessEAPTlsResponse(PPP_SESSION *p, PPP_EAP *eap_packet, UINT eapSize)
sizeLeft = GetMemSize(p->Eap_TlsCtx.CachedBufferRecv); sizeLeft = GetMemSize(p->Eap_TlsCtx.CachedBufferRecv);
sizeLeft -= (UINT)(p->Eap_TlsCtx.CachedBufferRecvPntr - p->Eap_TlsCtx.CachedBufferRecv); sizeLeft -= (UINT)(p->Eap_TlsCtx.CachedBufferRecvPntr - p->Eap_TlsCtx.CachedBufferRecv);
Copy(p->Eap_TlsCtx.CachedBufferRecvPntr, dataBuffer, MIN(sizeLeft, dataSize)); if (sizeLeft > 0)
{
Copy(p->Eap_TlsCtx.CachedBufferRecvPntr, dataBuffer, MIN(sizeLeft, dataSize));
p->Eap_TlsCtx.CachedBufferRecvPntr += MIN(sizeLeft, dataSize); p->Eap_TlsCtx.CachedBufferRecvPntr += MIN(sizeLeft, dataSize);
}
} }
// If we got a cached buffer, we should feed the FIFOs via it // If we got a cached buffer, we should feed the FIFOs via it
@@ -3783,6 +3788,8 @@ bool PPPProcessEAPTlsResponse(PPP_SESSION *p, PPP_EAP *eap_packet, UINT eapSize)
} }
AcUnlock(hub); AcUnlock(hub);
ReleaseHub(hub); ReleaseHub(hub);
// Making sure the stale pntr is cleared and can't be reused (GHSA-7437-282p-7465)
hub = NULL;
} }
if (found == false) if (found == false)
@@ -3790,8 +3797,6 @@ bool PPPProcessEAPTlsResponse(PPP_SESSION *p, PPP_EAP *eap_packet, UINT eapSize)
PPP_PACKET* pack; PPP_PACKET* pack;
UINT identificator = p->Eap_PacketId; UINT identificator = p->Eap_PacketId;
ReleaseHub(hub);
PPPSetStatus(p, PPP_STATUS_AUTH_FAIL); PPPSetStatus(p, PPP_STATUS_AUTH_FAIL);
pack = ZeroMalloc(sizeof(PPP_PACKET)); pack = ZeroMalloc(sizeof(PPP_PACKET));