From nobody@FreeBSD.org  Mon Jan  7 12:49:16 2002
Return-Path: <nobody@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 7337337B419
	for <freebsd-gnats-submit@FreeBSD.org>; Mon,  7 Jan 2002 12:49:15 -0800 (PST)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.11.6/8.11.6) id g07KnFp42108;
	Mon, 7 Jan 2002 12:49:15 -0800 (PST)
	(envelope-from nobody)
Message-Id: <200201072049.g07KnFp42108@freefall.freebsd.org>
Date: Mon, 7 Jan 2002 12:49:15 -0800 (PST)
From: Brad Huntting <huntting@glarp.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: PAP AuthAck/AuthNak parsing problem in pppd
X-Send-Pr-Version: www-1.0

>Number:         33661
>Category:       bin
>Synopsis:       PAP AuthAck/AuthNak parsing problem in pppd(8)
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          analyzed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jan 07 12:50:01 PST 2002
>Closed-Date:    
>Last-Modified:  Wed May 21 21:19:48 UTC 2008
>Originator:     Brad Huntting
>Release:        4.4-RELEASE
>Organization:
CU Boulder CS Dept
>Environment:
FreeBSD nomadic.glarp.com 4.4-RELEASE FreeBSD 4.4-RELEASE #0: Tue Sep 18 11:57:08 PDT 2001     murray@builder.FreeBSD.org:/usr/src/sys/compile/GENERIC  i386

>Description:
     Some ppp implementations send PAP AuthAck packets without a message.  RFC1334 (sec 2.2 and 2.2.2) is not very clear about wheather this is kosher.  At any rate, pppd does not deal with this situation
gracefully.

>How-To-Repeat:
     Sign up for VoiceStream's iStream service.  Get a Motorola P280 cell phone.  Put the following lines in /etc/ppp/peers/vs:
    noipdefault
    cuaa0 38400 crtscts
    connect '/usr/bin/chat -v -f /etc/ppp/chat-vs'
    ipcp-accept-local
    ipcp-accept-remote
    user <yournamehere>

And in /etc/ppp/chat-vs:
    ABORT "BUSY"
    ABORT "NO\sCARRIER"
    TIMEOUT 2
    ""
    AT OK-AT-OK-AT-OK-AT-OK
    AT&F OK
    ATE1Q0 OK
    AT+CGDCONT=1,IP,\sinternet2.voicestream.com\s OK
    AT+CGQMIN=1,0,0,3,0,0 OK
    AT+CGQREQ=1,0,0,3,0,0 OK
    ATD*99# CONNECT

And fire up "cuaa0 57600 debug call vs" as root.

You should see a string of syslog messages that looks like:

    Jan  7 00:15:42 nomadic pppd[511]: sent [PAP AuthReq id=0x1 user="<yournamehere>" password="<yourpasswdhere>"]
    Jan  7 00:15:42 nomadic pppd[511]: rcvd [PAP AuthAck id=0x1]
    Jan  7 00:15:42 nomadic pppd[511]: rcvd [IPCP ConfReq id=0x2 <addr 192.168.100.101> <compress VJ 0f 01>]
    Jan  7 00:15:45 nomadic pppd[511]: sent [PAP AuthReq id=0x2 user="<yournamehere>" password="<yourpasswdhere>"]
    Jan  7 00:15:45 nomadic pppd[511]: rcvd [PAP AuthAck id=0x2]
    Jan  7 00:15:48 nomadic pppd[511]: sent [PAP AuthReq id=0x3 user="<yournamehere>" password="<yourpasswdhere>"]
    Jan  7 00:15:48 nomadic pppd[511]: rcvd [PAP AuthAck id=0x3]
    Jan  7 00:15:51 nomadic pppd[511]: sent [PAP AuthReq id=0x4 user="<yournamehere>" password="<yourpasswdhere>"]
    Jan  7 00:15:51 nomadic pppd[511]: rcvd [PAP AuthAck id=0x4]
    Jan  7 00:15:54 nomadic pppd[511]: sent [PAP AuthReq id=0x5 user="<yournamehere>" password="<yourpasswdhere>"]
    Jan  7 00:15:54 nomadic pppd[511]: rcvd [PAP AuthAck id=0x5]

(sorry, but that's the best I can do)

>Fix:
     Apply this patch

--- usr.sbin/pppd/upap.c.orig	Fri Aug 27 19:19:08 1999
+++ usr.sbin/pppd/upap.c	Mon Jan  7 13:06:55 2002
@@ -418,19 +418,23 @@
 
     /*
      * Parse message.
+     *   Note:  Some ppp implementations return AuthAck w/ no message.
      */
-    if (len < sizeof (u_char)) {
+    if (len < 0) {
 	UPAPDEBUG((LOG_INFO, "pap_rauthack: rcvd short packet."));
 	return;
+    } else if (len == 0) {
+	UPAPDEBUG((LOG_INFO, "pap_rauthack: no message in AuthAck."));
+    } else /* len > 0 */ {
+        GETCHAR(msglen, inp);
+        len -= sizeof (u_char);
+        if (len < msglen) {
+	    UPAPDEBUG((LOG_INFO, "pap_rauthack: rcvd short packet."));
+	    return;
+        }
+        msg = (char *) inp;
+        PRINTMSG(msg, msglen);
     }
-    GETCHAR(msglen, inp);
-    len -= sizeof (u_char);
-    if (len < msglen) {
-	UPAPDEBUG((LOG_INFO, "pap_rauthack: rcvd short packet."));
-	return;
-    }
-    msg = (char *) inp;
-    PRINTMSG(msg, msglen);
 
     u->us_clientstate = UPAPCS_OPEN;
 
@@ -457,19 +461,23 @@
 
     /*
      * Parse message.
+     *   (note comment in upap_rauthack())
      */
-    if (len < sizeof (u_char)) {
-	UPAPDEBUG((LOG_INFO, "pap_rauthnak: rcvd short packet."));
-	return;
-    }
-    GETCHAR(msglen, inp);
-    len -= sizeof (u_char);
-    if (len < msglen) {
+    if (len < 0) {
 	UPAPDEBUG((LOG_INFO, "pap_rauthnak: rcvd short packet."));
 	return;
+    } else if (len == 0) {
+	UPAPDEBUG((LOG_INFO, "pap_rauthnak: no message in AuthNak."));
+    } else /* len > 0 */ {
+        GETCHAR(msglen, inp);
+        len -= sizeof (u_char);
+        if (len < msglen) {
+	    UPAPDEBUG((LOG_INFO, "pap_rauthnak: rcvd short packet."));
+	    return;
+        }
+        msg = (char *) inp;
+        PRINTMSG(msg, msglen);
     }
-    msg = (char *) inp;
-    PRINTMSG(msg, msglen);
 
     u->us_clientstate = UPAPCS_BADAUTH;
 



>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->analyzed 
State-Changed-By: asmodai 
State-Changed-When: Sun Apr 7 07:17:51 PDT 2002 
State-Changed-Why:  
I have asked Brian Somers to look at the proposed patch from his PPP wisdom 
of things. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=33661 

From: Eugene Grosbein <eugen@grosbein.pp.ru>
To: bug-followup@freebsd.org
Cc:  
Subject: Re: bin/33661: PAP AuthAck/AuthNak parsing problem in pppd
Date: Sat, 5 Apr 2003 23:30:36 +0800

 Hi!
 
 asmodai resigned so it seems this PR is not analyzed really.
 
 Eugene Grosbein
>Unformatted:
