DragonFlyBSD Kernel Audit
← dashboard
DF-0457

Unchecked ph->length in PPPoE discovery: heap OOB read via tag-walk + heap info leak via echoed Relay-Session-Id (v1 twin of DF-0414)

Summary

ng_pppoe_rcvdata(:925-968): discovery frames (PADI/PADO/PADR/PADS, ETHERTYPE_PPPOE_DISC + STUPID_DISC fallthrough) read length=ntohs(ph.length)(:925), NEVER validated vs actual mbuf payload size. m_pullup(:952-960)+m_len==pkthdr.len check(:961-968) only ensure contiguity, not bounds. get_tag(:283-307) walks end=&ph->tag[0]+ntohs(ph->length)(:283), loops (pt+1)<=end dereferencing tag_type/tag_len up to 65535 bytes past actual data into adjacent kernel heap. scan_tags(:1621-1658) identical OOB logic. scan_tags(:1640-1642) insert_tag(PTT_RELAY_SID) + make_packet(:376 bcopy up to 1500 bytes bounded ETHER_MAX_LEN) -> leaked kernel heap bytes echoed in PADO/PADR response to attacker source MAC. Attacker sends crafted PADO to client node, receives PADR with heap leak via Relay-Session-Id. Comment at :944-948 admits danger. Session path(:1221-1229) IS bounded correctly (m_pkthdr.len<length check), only discovery path is vulnerable. v1 twin of DF-0414 (ng7). Remote unauth adjacent-network.