DragonFlyBSD Kernel Audit
← dashboard
DF-0269

Stack buffer overflow in sppp_print_bytes: VLA sized len but hexncpy writes 3*len bytes

Summary

sppp_print_bytes(:5290) char hexstr[len] (len bytes) then hexncpy(p,len,hexstr,HEX_NCPYLEN(len)=3*len,...)(:5292). hexncpy writes 3 bytes per input byte -> 2*len bytes stack overflow. Reachable pre-auth: LCP debug path(:1409) PHASE_ESTABLISH before PHASE_AUTHENTICATE. if(IFF_DEBUG): peer sends LCP frame len>4. ~1500-byte frame -> ~3000 bytes stack corruption. Remote kernel stack smash from unauth PPP peer.