Use-after-free in accel-ppp

Bug reports
Post Reply
monty
Posts: 2
Joined: 18 Jan 2016, 11:28

Use-after-free in accel-ppp

Post by monty »

Hi,

I found multiples use-after-free (double free to be precise) in accel-ppp (version 1.10.0).

The problem is that the function ppp_auth_succeeded (in ppp_auth.c) can potentially free the second parameter (username). When this happen, ppp_auth_suceeded will return with -1.
However, in some cases, ppp_auth_succeeded is called with an argument that is freed later.

In pap_auth_results of auth_pap.c there is a call to ppp_auth_succeeded (line 187) with peer_id as parameter, but peer_id is freed later in pap_auth_result (line 197).
Same in auth_results of auth_mschap_v1.c, there is a call to ppp_auth_succeed with name as parameter (line 270), and name is free later (line 290).
Same principe in auth_results of auth_mschap_v2.c and auth_chap_md5.

A fix could be to add differents return values for ppp_auth_succeeded, and check theses values from the caller.
Or to remove the call to free in ppp_auth_succeeded (and let the caller freeing the variable).

The issue was found with the help of the static analyzer GUEB.

Best regards
Dmitry
Администратор
Posts: 954
Joined: 09 Oct 2014, 10:06

Re: Use-after-free in accel-ppp

Post by Dmitry »

thanks
Post Reply