fixed #273 reject invalid IPCP options

rtbrick · Aug 29, 2024 · 6d8dc3a · 6d8dc3a
1 parent c4a5295
commit 6d8dc3a
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 10 deletions.
diff --git a/code/bngblaster/src/bbl_access.c b/code/bngblaster/src/bbl_access.c
@@ -1068,6 +1068,36 @@ bbl_access_rx_ip6cp(bbl_access_interface_s *interface,
     }
 }
 
+static void
+bbl_access_rx_ipcp_conf_reject(bbl_session_s *session, bbl_ipcp_s *ipcp)
+{
+    uint16_t len = ipcp->options_len;
+    uint8_t *buf = ipcp->options;
+    uint8_t option_type = 0;
+    uint8_t option_len = 0;
+
+    LOG(PPPOE, "IPCP (ID: %u) conf-reject send\n", session->session_id);
+
+    session->ipcp_options_len = 0;
+    while(len >= 2) {
+        option_type = *buf;
+        option_len = *(buf+1);
+        if(option_type != PPP_IPCP_OPTION_ADDRESS) {
+            if((session->ipcp_options_len + option_len) <= PPP_OPTIONS_BUFFER) {
+                memcpy(session->ipcp_options+session->ipcp_options_len, buf, option_len);
+                session->ipcp_options_len += option_len;
+            }
+        }
+        buf = buf+option_len;
+        len -= option_len;
+    }
+
+    session->ipcp_peer_identifier = ipcp->identifier;
+    session->ipcp_response_code = PPP_CODE_CONF_REJECT;
+    session->send_requests |= BBL_SEND_IPCP_RESPONSE;
+    bbl_session_tx_qnode_insert(session);
+}
+
 static void
 bbl_access_rx_ipcp(bbl_access_interface_s *interface, 
                    bbl_session_s *session, 
@@ -1097,6 +1127,10 @@ bbl_access_rx_ipcp(bbl_access_interface_s *interface,
 
     switch(ipcp->code) {
         case PPP_CODE_CONF_REQUEST:
+            if(ipcp->option_dns1 || ipcp->option_dns2 || ipcp->unknown_options) {
+                bbl_access_rx_ipcp_conf_reject(session, ipcp);
+                return;
+            }
             if(ipcp->address) {
                 session->peer_ip_address = ipcp->address;
             }
@@ -1184,6 +1218,7 @@ bbl_access_rx_ipcp(bbl_access_interface_s *interface,
         case PPP_CODE_TERM_REQUEST:
             session->ipcp_peer_identifier = ipcp->identifier;
             session->ipcp_response_code = PPP_CODE_TERM_ACK;
+            session->ipcp_options_len = 0;
             session->send_requests |= BBL_SEND_IPCP_RESPONSE;
             bbl_session_tx_qnode_insert(session);
             break;

diff --git a/code/bngblaster/src/bbl_protocols.c b/code/bngblaster/src/bbl_protocols.c
@@ -3746,7 +3746,6 @@ decode_ppp_ip6cp(uint8_t *buf, uint16_t len,
     uint16_t ip6cp_len = 0;
     uint8_t  ip6cp_option_type = 0;
     uint8_t  ip6cp_option_len = 0;
-    uint8_t  ip6cp_option_index = 0;
 
     if(len < 4 || sp_len < sizeof(bbl_ip6cp_s)) {
         return DECODE_ERROR;
@@ -3786,9 +3785,6 @@ decode_ppp_ip6cp(uint8_t *buf, uint16_t len,
         case PPP_CODE_CONF_ACK:
         case PPP_CODE_CONF_NAK:
             while(ip6cp_len >= 2) {
-                if(ip6cp_option_index < PPP_MAX_OPTIONS) {
-                    ip6cp->option[ip6cp_option_index++] = buf;
-                }
                 ip6cp_option_type = *buf;
                 BUMP_BUFFER(buf, ip6cp_len, sizeof(uint8_t));
                 ip6cp_option_len = *buf;
@@ -3835,7 +3831,6 @@ decode_ppp_ipcp(uint8_t *buf, uint16_t len,
     uint16_t ipcp_len = 0;
     uint8_t  ipcp_option_type = 0;
     uint8_t  ipcp_option_len = 0;
-    uint8_t  ipcp_option_index = 0;
 
     if(len < 4 || sp_len < sizeof(bbl_ipcp_s)) {
         return DECODE_ERROR;
@@ -3876,9 +3871,6 @@ decode_ppp_ipcp(uint8_t *buf, uint16_t len,
         case PPP_CODE_CONF_NAK:
         case PPP_CODE_CONF_REJECT:
             while(ipcp_len >= 2) {
-                if(ipcp_option_index < PPP_MAX_OPTIONS) {
-                    ipcp->option[ipcp_option_index++] = buf;
-                }
                 ipcp_option_type = *buf;
                 BUMP_BUFFER(buf, ipcp_len, sizeof(uint8_t));
                 ipcp_option_len = *buf;
@@ -3914,6 +3906,7 @@ decode_ppp_ipcp(uint8_t *buf, uint16_t len,
                         break;
                     default:
                         ipcp->unknown_options = true;
+
                         break;
                 }
                 BUMP_BUFFER(buf, ipcp_len, ipcp_option_len);

diff --git a/code/bngblaster/src/bbl_protocols.h b/code/bngblaster/src/bbl_protocols.h
@@ -722,7 +722,6 @@ typedef struct bbl_ipcp_ {
     bool        option_address;
     bool        option_dns1;
     bool        option_dns2;
-    uint8_t    *option[PPP_MAX_OPTIONS];
     bool        unknown_options;
 } bbl_ipcp_s;
 
@@ -735,7 +734,6 @@ typedef struct bbl_ip6cp_ {
     uint8_t    *options;
     uint8_t     options_len;
     uint64_t    ipv6_identifier;
-    uint8_t    *option[PPP_MAX_OPTIONS];
     bool        unknown_options;
 } bbl_ip6cp_s;