You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We have an environment where port 1701 is mistakenly used for a certain type of UDP traffic, which is not intended to be L2TP traffic, but since it uses port 1701, it's received by xl2tpd, and when such packets are generated one per second, it causes xl2tpd to use about 800MB ~ 900MB memory after one or two days.
Here is related debug logs:
============
xl2tpd[30899]: network_thread: recv packet from 172.16.16.36, size = 36, tunnel = 0, call = 0 ref=0 refhim=0
packet dump:
HEX: { 00 3A 00 00 00 00 00 00 70 01 00 00 00 00 00 00 00 00 00 00 06 0F 92 92 00 00 00 67 00 00 00 DE 00 DA 00 00 }
ASCII: { : p g }
xl2tpd[30899]: get_call: allocating new tunnel for host 172.16.16.36, port 1701.
xl2tpd[30899]: check_payload: L2F packet received
xl2tpd[30899]: handle_packet: invalid payload packet!
xl2tpd[30899]: network_thread: bad packet
In function network_thread(), get_call() is called for a received packet. Since the packet has garbage L2TP header and the tunnel id is 0, a new tunnel structure is allocated for the packet. After that the packet is sanity checked by check_payload() in handle_packet() below and is regarded as invalid(wrong version here) and ignored, but its allocated tunnel structure is not freed, which leads to the memory leak.
I've done more test, if the attacker sends a lot of control ZLB packets with tunnel id 0, it will also cause xl2tpd memory leaking.
Hi,
We have an environment where port 1701 is mistakenly used for a certain type of UDP traffic, which is not intended to be L2TP traffic, but since it uses port 1701, it's received by xl2tpd, and when such packets are generated one per second, it causes xl2tpd to use about 800MB ~ 900MB memory after one or two days.
Here is related debug logs:
============
xl2tpd[30899]: network_thread: recv packet from 172.16.16.36, size = 36, tunnel = 0, call = 0 ref=0 refhim=0
packet dump:
HEX: { 00 3A 00 00 00 00 00 00 70 01 00 00 00 00 00 00 00 00 00 00 06 0F 92 92 00 00 00 67 00 00 00 DE 00 DA 00 00 }
ASCII: { : p g }
xl2tpd[30899]: get_call: allocating new tunnel for host 172.16.16.36, port 1701.
xl2tpd[30899]: check_payload: L2F packet received
xl2tpd[30899]: handle_packet: invalid payload packet!
xl2tpd[30899]: network_thread: bad packet
In function network_thread(), get_call() is called for a received packet. Since the packet has garbage L2TP header and the tunnel id is 0, a new tunnel structure is allocated for the packet. After that the packet is sanity checked by check_payload() in handle_packet() below and is regarded as invalid(wrong version here) and ignored, but its allocated tunnel structure is not freed, which leads to the memory leak.
I've done more test, if the attacker sends a lot of control ZLB packets with tunnel id 0, it will also cause xl2tpd memory leaking.
To make xl2tpd more robust against attacking, I have tried to fix the problem and here is my patch:
xl2tpd_memory_leak_on_invalid_pkts.txt
The text was updated successfully, but these errors were encountered: