ppp: add memmove fortify and remove MRU patch

memcpy() with overlapping src and dest buffers is an undefined behavior
in C. In the current code, a ConfRej response is generated by copying
input data in-place, where the dest address is lower than the src.
This happens to work in practice because memcpy() forward-copies data,
matching the behavior of memmove() in this case.

However, if FORTIFY_SOURCE or Address Sanitizer is enabled, memcpy()
will detect the overlap at run time and abort the program.

Replace the memcpy() with memmove() to ensure a well-defined behavior.

Reported-by: Filippo Carletti <filippo.carletti@gmail.com>
MRU patch https://github.com/ppp-project/ppp/pull/573

Signed-off-by: Paul Donald <newtwen+github@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/22286
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

diff --git a/package/network/services/ppp/Makefile b/package/network/services/ppp/Makefile
index 0523b5f3e377269b42cad1f1b4b13491292a3d03..5ad68a3665d685bdd2d31ac79e1c0dd7c9a4664c 100644 (file)
--- a/package/network/services/ppp/Makefile
+++ b/package/network/services/ppp/Makefile
@@ -10,7 +10,7 @@ include $(INCLUDE_DIR)/kernel.mk
 
 PKG_NAME:=ppp
 PKG_VERSION:=2.5.2
-PKG_RELEASE:=2
+PKG_RELEASE:=3
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://github.com/ppp-project/ppp

diff --git a/package/network/services/ppp/patches/501-fix-memcpy-fortify.patch b/package/network/services/ppp/patches/501-fix-memcpy-fortify.patch
new file mode 100644 (file)
index 0000000..b32f87f
--- /dev/null
+++ b/package/network/services/ppp/patches/501-fix-memcpy-fortify.patch
@@ -0,0 +1,37 @@
+From f8d994052e3858848ce11318085e04fe7a1cfb28 Mon Sep 17 00:00:00 2001
+From: LGA1150 <9155358+LGA1150@users.noreply.github.com>
+Date: Thu, 5 Mar 2026 05:41:30 +0800
+Subject: [PATCH] pppd: fix memcpy overlap (#579)
+
+memcpy() with overlapping src and dest buffers is an undefined behavior
+in C. In the current code, a ConfRej response is generated by copying
+input data in-place, where the dest address is lower than the src.
+This happens to work in practice because memcpy() forward-copies data,
+matching the behavior of memmove() in this case.
+
+However, if FORTIFY_SOURCE or Address Sanitizer is enabled, memcpy()
+will detect the overlap at run time and abort the program.
+
+Replace the memcpy() with memmove() to ensure a well-defined behavior.
+
+Reported-by: Filippo Carletti <filippo.carletti@gmail.com>
+Closes: #576
+
+Signed-off-by: Qingfang Deng <dqfext@gmail.com>
+---
+ pppd/pppd-private.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/pppd/pppd-private.h b/pppd/pppd-private.h
+index 5f841824..29ea940c 100644
+--- a/pppd/pppd-private.h
++++ b/pppd/pppd-private.h
+@@ -525,7 +525,7 @@ int parse_dotted_ip(char *, u_int32_t *)
+ #define TIMEOUT(r, f, t)      ppp_timeout((r), (f), (t), 0)
+ #define UNTIMEOUT(r, f)               ppp_untimeout((r), (f))
+ 
+-#define BCOPY(s, d, l)                memcpy(d, s, l)
++#define BCOPY(s, d, l)                memmove(d, s, l)
+ #define BZERO(s, n)           memset(s, 0, n)
+ #define       BCMP(s1, s2, l)         memcmp(s1, s2, l)
+ 

diff --git a/package/network/services/ppp/patches/502-remove_mru.patch b/package/network/services/ppp/patches/502-remove_mru.patch
new file mode 100644 (file)
index 0000000..a1e093c
--- /dev/null
+++ b/package/network/services/ppp/patches/502-remove_mru.patch
@@ -0,0 +1,28 @@
+From f691c224e12ee13a1b317a1838d150f1ffef14a1 Mon Sep 17 00:00:00 2001
+From: Mateusz Poliwczak <mpoliwczak34@gmail.com>
+Date: Wed, 11 Feb 2026 00:40:14 +0100
+Subject: [PATCH] Remove MRU limit on PPPoE (#573)
+
+Fixes #331
+
+Signed-off-by: Mateusz Poliwczak <mpoliwczak34@gmail.com>
+---
+ pppd/plugins/pppoe/plugin.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/pppd/plugins/pppoe/plugin.c b/pppd/plugins/pppoe/plugin.c
+index b429a2fd..0f672166 100644
+--- a/pppd/plugins/pppoe/plugin.c
++++ b/pppd/plugins/pppoe/plugin.c
+@@ -446,11 +446,6 @@ void pppoe_check_options(void)
+     lcp_allowoptions[0].neg_pcompression = 0;
+     lcp_wantoptions[0].neg_pcompression = 0;
+ 
+-    if (lcp_allowoptions[0].mru > MAX_PPPOE_MTU)
+-      lcp_allowoptions[0].mru = MAX_PPPOE_MTU;
+-    if (lcp_wantoptions[0].mru > MAX_PPPOE_MTU)
+-      lcp_wantoptions[0].mru = MAX_PPPOE_MTU;
+-
+     /* Save configuration */
+     conn->storedmtu = lcp_allowoptions[0].mru;
+     conn->storedmru = lcp_wantoptions[0].mru;