Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

xl2tpd memory leak when received invalid L2TP packets #195

Open
cachalot1984 opened this issue Jun 9, 2020 · 0 comments
Open

xl2tpd memory leak when received invalid L2TP packets #195

cachalot1984 opened this issue Jun 9, 2020 · 0 comments

Comments

@cachalot1984
Copy link

Hi,

We have an environment where port 1701 is mistakenly used for a certain type of UDP traffic, which is not intended to be L2TP traffic, but since it uses port 1701, it's received by xl2tpd, and when such packets are generated one per second, it causes xl2tpd to use about 800MB ~ 900MB memory after one or two days.

Here is related debug logs:

============
xl2tpd[30899]: network_thread: recv packet from 172.16.16.36, size = 36, tunnel = 0, call = 0 ref=0 refhim=0
packet dump:
HEX: { 00 3A 00 00 00 00 00 00 70 01 00 00 00 00 00 00 00 00 00 00 06 0F 92 92 00 00 00 67 00 00 00 DE 00 DA 00 00 }
ASCII: { : p g }
xl2tpd[30899]: get_call: allocating new tunnel for host 172.16.16.36, port 1701.
xl2tpd[30899]: check_payload: L2F packet received
xl2tpd[30899]: handle_packet: invalid payload packet!
xl2tpd[30899]: network_thread: bad packet

In function network_thread(), get_call() is called for a received packet. Since the packet has garbage L2TP header and the tunnel id is 0, a new tunnel structure is allocated for the packet. After that the packet is sanity checked by check_payload() in handle_packet() below and is regarded as invalid(wrong version here) and ignored, but its allocated tunnel structure is not freed, which leads to the memory leak.

I've done more test, if the attacker sends a lot of control ZLB packets with tunnel id 0, it will also cause xl2tpd memory leaking.

To make xl2tpd more robust against attacking, I have tried to fix the problem and here is my patch:
xl2tpd_memory_leak_on_invalid_pkts.txt

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant