From 1e9da9798ac2a617f9bdd9b11b1582a86133f9e8 Mon Sep 17 00:00:00 2001 From: Paul Donald Date: Thu, 5 Mar 2026 22:11:13 +0100 Subject: [PATCH] ppp: add memmove fortify and remove MRU patch memcpy() with overlapping src and dest buffers is an undefined behavior in C. In the current code, a ConfRej response is generated by copying input data in-place, where the dest address is lower than the src. This happens to work in practice because memcpy() forward-copies data, matching the behavior of memmove() in this case. However, if FORTIFY_SOURCE or Address Sanitizer is enabled, memcpy() will detect the overlap at run time and abort the program. Replace the memcpy() with memmove() to ensure a well-defined behavior. Reported-by: Filippo Carletti MRU patch https://github.com/ppp-project/ppp/pull/573 Signed-off-by: Paul Donald Link: https://github.com/openwrt/openwrt/pull/22286 Signed-off-by: Hauke Mehrtens --- package/network/services/ppp/Makefile | 2 +- .../ppp/patches/501-fix-memcpy-fortify.patch | 37 +++++++++++++++++++ .../services/ppp/patches/502-remove_mru.patch | 28 ++++++++++++++ 3 files changed, 66 insertions(+), 1 deletion(-) create mode 100644 package/network/services/ppp/patches/501-fix-memcpy-fortify.patch create mode 100644 package/network/services/ppp/patches/502-remove_mru.patch diff --git a/package/network/services/ppp/Makefile b/package/network/services/ppp/Makefile index 0523b5f3e3..5ad68a3665 100644 --- a/package/network/services/ppp/Makefile +++ b/package/network/services/ppp/Makefile @@ -10,7 +10,7 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=ppp PKG_VERSION:=2.5.2 -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_SOURCE_PROTO:=git PKG_SOURCE_URL:=https://github.com/ppp-project/ppp diff --git a/package/network/services/ppp/patches/501-fix-memcpy-fortify.patch b/package/network/services/ppp/patches/501-fix-memcpy-fortify.patch new file mode 100644 index 0000000000..b32f87fddb --- /dev/null +++ b/package/network/services/ppp/patches/501-fix-memcpy-fortify.patch @@ -0,0 +1,37 @@ +From f8d994052e3858848ce11318085e04fe7a1cfb28 Mon Sep 17 00:00:00 2001 +From: LGA1150 <9155358+LGA1150@users.noreply.github.com> +Date: Thu, 5 Mar 2026 05:41:30 +0800 +Subject: [PATCH] pppd: fix memcpy overlap (#579) + +memcpy() with overlapping src and dest buffers is an undefined behavior +in C. In the current code, a ConfRej response is generated by copying +input data in-place, where the dest address is lower than the src. +This happens to work in practice because memcpy() forward-copies data, +matching the behavior of memmove() in this case. + +However, if FORTIFY_SOURCE or Address Sanitizer is enabled, memcpy() +will detect the overlap at run time and abort the program. + +Replace the memcpy() with memmove() to ensure a well-defined behavior. + +Reported-by: Filippo Carletti +Closes: #576 + +Signed-off-by: Qingfang Deng +--- + pppd/pppd-private.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/pppd/pppd-private.h b/pppd/pppd-private.h +index 5f841824..29ea940c 100644 +--- a/pppd/pppd-private.h ++++ b/pppd/pppd-private.h +@@ -525,7 +525,7 @@ int parse_dotted_ip(char *, u_int32_t *) + #define TIMEOUT(r, f, t) ppp_timeout((r), (f), (t), 0) + #define UNTIMEOUT(r, f) ppp_untimeout((r), (f)) + +-#define BCOPY(s, d, l) memcpy(d, s, l) ++#define BCOPY(s, d, l) memmove(d, s, l) + #define BZERO(s, n) memset(s, 0, n) + #define BCMP(s1, s2, l) memcmp(s1, s2, l) + diff --git a/package/network/services/ppp/patches/502-remove_mru.patch b/package/network/services/ppp/patches/502-remove_mru.patch new file mode 100644 index 0000000000..a1e093cb06 --- /dev/null +++ b/package/network/services/ppp/patches/502-remove_mru.patch @@ -0,0 +1,28 @@ +From f691c224e12ee13a1b317a1838d150f1ffef14a1 Mon Sep 17 00:00:00 2001 +From: Mateusz Poliwczak +Date: Wed, 11 Feb 2026 00:40:14 +0100 +Subject: [PATCH] Remove MRU limit on PPPoE (#573) + +Fixes #331 + +Signed-off-by: Mateusz Poliwczak +--- + pppd/plugins/pppoe/plugin.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/pppd/plugins/pppoe/plugin.c b/pppd/plugins/pppoe/plugin.c +index b429a2fd..0f672166 100644 +--- a/pppd/plugins/pppoe/plugin.c ++++ b/pppd/plugins/pppoe/plugin.c +@@ -446,11 +446,6 @@ void pppoe_check_options(void) + lcp_allowoptions[0].neg_pcompression = 0; + lcp_wantoptions[0].neg_pcompression = 0; + +- if (lcp_allowoptions[0].mru > MAX_PPPOE_MTU) +- lcp_allowoptions[0].mru = MAX_PPPOE_MTU; +- if (lcp_wantoptions[0].mru > MAX_PPPOE_MTU) +- lcp_wantoptions[0].mru = MAX_PPPOE_MTU; +- + /* Save configuration */ + conn->storedmtu = lcp_allowoptions[0].mru; + conn->storedmru = lcp_wantoptions[0].mru;