fix: free ets->data on error paths in eaptls_receive and eaptls_free_…#597
Open
xuammu wants to merge 1 commit into
Open
fix: free ets->data on error paths in eaptls_receive and eaptls_free_…#597xuammu wants to merge 1 commit into
xuammu wants to merge 1 commit into
Conversation
…session Signed-off-by: 陈玄林 <chenxuanlin@uniontech.com>
7dd6a78 to
2262acd
Compare
Collaborator
|
Thanks for this. @jjkeijser, @enaess any comments / review? Fortunately with this kind of thing the attacker can really only deny service to themselves, since each connection has a separate pppd process. |
Contributor
|
The patch looks good to me. Ack |
Member
|
@jkroonza: Have you seen this PR? |
jkroonza
approved these changes
Jun 19, 2026
jkroonza
left a comment
Contributor
There was a problem hiding this comment.
LGTM. Eyeball only.
@paulusmack yea, if they rack up enough concurrency and is quick enough about this to prevent ppp timeout they can potentially consume a reasonable amount of system RAM, but I agree, this is generally not a major issue in all likilihood (I wouldn't roll a new version just for this kind of not important).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
eaptls_receive()allocatesets->datato reassemble fragmented EAP-TLS messages, but three early-return error paths fail to free it.eaptls_free_session()also leaksets->datawhen cleaning up thesession.Each triggered error leaks up to 64KB. An attacker can repeatedly send malformed EAP-TLS packets (LI=1, MF=0, tlslen=65536, tiny payload) to exhaust memory and cause denial of service.
Affected code
pppd/eap-tls.c—eaptls_receive()andeaptls_free_session()