[pptp-server] some useful pptp-1.1.2 patches

Frank Cusack fcusack at fcusack.com
Mon Mar 25 08:34:27 CST 2002 

I guess pptpd isn't maintained these days, so this seems as good a place
as any to send some patches.  Hopefully they make it into the sources.

1: log tcp_wrappers denies.  This should be considered security critical.
2: properly daemonize (close stdin/stdout/stderr).  This is important!
3: don't log those silly GRE read/write problems when it's normal.  I
   can't believe all you folks can tolerate this! :-)
4: an init script for redhat.

If someone wants to host rpm's I can send them.  I'm not able to send
rpm's around to everyone though, just apply the patches please.

Patch 3 isn't done very well, I just brute forced it.  I would suggest
to the pptpd maintainer that you define error macros instead.

/fc
-------------- next part --------------
Common subdirectories: pptpd-1.1.2.orig/html and pptpd-1.1.2/html
diff -u pptpd-1.1.2.orig/pptpmanager.c pptpd-1.1.2/pptpmanager.c
--- pptpd-1.1.2.orig/pptpmanager.c	Fri Dec 17 08:30:14 1999
+++ pptpd-1.1.2/pptpmanager.c	Sun Mar 24 05:51:16 2002
@@ -178,29 +178,11 @@
 			addrsize = sizeof(client_addr);
 			clientSocket = accept(hostSocket, (struct sockaddr *) &client_addr, &addrsize);
 
-#if HAVE_LIBWRAP
-			if (clientSocket != -1) {
-				struct request_info r;
-				request_init(&r, RQ_DAEMON, "pptpd", RQ_FILE, clientSocket, NULL);
-				fromhost(&r);
-				if (!hosts_access(&r)) {
-					/* send a permission denied message? this is a tcp wrapper
-					 * type deny so probably best to just drop it immediately like
-					 * this, as tcp wrappers usually do.
-					 */
-					close(clientSocket);
-					/* this would never be file descriptor 0, so use it as a error
-					 * value
-					 */
-					clientSocket = 0;
-				}
-			}
-#endif
 			if (clientSocket == -1) {
 				/* accept failed, but life goes on... */
 				syslog(LOG_ERR, "MGR: accept() failed");
 				perror("accept");
-			} else if (clientSocket != 0) {
+			} else {
 
 #ifndef HAVE_FORK
 				switch (ctrl_pid = vfork()) {
@@ -214,6 +196,24 @@
 
 				case 0:	/* child */
 					close(hostSocket);
+#if HAVE_LIBWRAP
+					{
+						struct request_info r;
+						request_init(&r, RQ_DAEMON, "pptpd", RQ_FILE, clientSocket, NULL);
+						fromhost(&r);
+						if (!hosts_access(&r)) {
+							/* send a permission denied message? this is a tcp wrapper
+						 	 * type deny so probably best to just drop it immediately like
+						 	 * this, as tcp wrappers usually do.
+						 	 */
+							close(clientSocket);
+							if (pptp_debug)
+								syslog(LOG_DEBUG, "MGR: connection refused by tcp_wrappers");
+							refuse(&r);
+							/* NOTREACHED */
+						}
+					}
+#endif
 					if (pptp_debug)
 						syslog(LOG_DEBUG, "MGR: Launching " PPTP_CTRL_BIN " to handle client");
 #if !defined(PPPD_IP_ALLOC)
Common subdirectories: pptpd-1.1.2.orig/samples and pptpd-1.1.2/samples
-------------- next part --------------
Common subdirectories: pptpd-1.1.2.orig/html and pptpd-1.1.2/html
diff -u pptpd-1.1.2.orig/pptpd.c pptpd-1.1.2/pptpd.c
--- pptpd-1.1.2.orig/pptpd.c	Fri Dec 17 10:57:30 1999
+++ pptpd-1.1.2/pptpd.c	Sun Mar 24 06:02:38 2002
@@ -290,9 +290,7 @@
 	if (!foreground) {
 #if HAVE_DAEMON
 		closelog();
-		freopen("/dev/null", "r", stdin);
-		/* set noclose, we want stdout/stderr still attached if we can */
-		daemon(0, 1);
+		daemon(0, 0);
 		/* returns to child only */
 		/* pid will have changed */
 		openlog("pptpd", LOG_PID, LOG_PPTP);
@@ -339,10 +337,10 @@
 	char **new_argv;
 	int pid;
 	syslog(LOG_INFO, "MGR: Option parse OK, re-execing as daemon");
-	fprintf(stderr, "pptpd: option parse OK, re-execing as daemon\n");
-	fflush(stderr);
 	if ((pid = vfork()) == 0) {
 		freopen("/dev/null", "r", stdin);
+		freopen("/dev/null", "w", stdout);
+		freopen("/dev/null", "w", stderr);
 		SETSIDPGRP();
 		chdir("/");
 		umask(0);
@@ -369,6 +367,8 @@
 	} else if (pid)
 		exit(0);
 	freopen("/dev/null", "r", stdin);
+	freopen("/dev/null", "w", stdout);
+	freopen("/dev/null", "w", stderr);
 	SETSIDPGRP();
 	chdir("/");
 	umask(0);
Only in pptpd-1.1.2.orig: pptpmanager.c.libwrap
Common subdirectories: pptpd-1.1.2.orig/samples and pptpd-1.1.2/samples
-------------- next part --------------
diff -ur pptpd-1.1.2.orig/pptpctrl.c pptpd-1.1.2/pptpctrl.c
--- pptpd-1.1.2.orig/pptpctrl.c	Mon Oct  2 14:30:52 2000
+++ pptpd-1.1.2/pptpctrl.c	Mon Mar 25 05:30:11 2002
@@ -300,17 +300,21 @@
 
     /* send from pty off via GRE */
     if (gre) {
-      if (do_gre_to_pty (gre) < 0) {
-        syslog(LOG_ERR,
-               "CTRL: PTY read or GRE write failed (pty,gre)=(%d,%d)",
-               gre->pty_fd, gre->gre_fd);
+      int r;
+
+      if ((r = do_gre_to_pty (gre)) < 0) {
+	if (r != -2)
+          syslog(LOG_ERR,
+                 "CTRL: PTY read or GRE write failed (pty,gre)=(%d,%d)",
+                 gre->pty_fd, gre->gre_fd);
         break;
       }
 
-      if (do_pty_to_gre (gre) < 0) {
-        syslog(LOG_ERR,
-               "CTRL: GRE read or PTY write failed (gre,pty)=(%d,%d)",
-               gre->gre_fd, gre->pty_fd);
+      if ((r = do_pty_to_gre (gre)) < 0) {
+	if (r != -2)
+          syslog(LOG_ERR,
+                 "CTRL: GRE read or PTY write failed (gre,pty)=(%d,%d)",
+                 gre->gre_fd, gre->pty_fd);
         break;
       }
     }
diff -ur pptpd-1.1.2.orig/pptpgre.c pptpd-1.1.2/pptpgre.c
--- pptpd-1.1.2.orig/pptpgre.c	Mon Oct  2 14:30:52 2000
+++ pptpd-1.1.2/pptpgre.c	Mon Mar 25 05:34:00 2002
@@ -392,9 +392,12 @@
     return 0;
   }
 
-  syslog (LOG_ERR,
-          "Error writing GRE packet: %s", strerror (errno));
-  return -1;
+  if (errno != EBADF) {
+    syslog (LOG_ERR, "Error writing GRE packet: %s", strerror (errno));
+    return -1;
+  } else
+    /* closed, normal */
+    return -2;
 }
 
 int
@@ -414,6 +417,9 @@
     maybe_make_ack (gre);
    
     switch (write_gre (gre)) {
+    case -2:
+      return -2;
+
     case -1:
       return -1;
 
@@ -458,8 +464,12 @@
       return 0;
     }
 
-    syslog (LOG_ERR, "GRE: read error: %s", strerror (errno));
-    return -1;
+    if (errno != EBADF) {
+      syslog (LOG_ERR, "GRE: read error: %s", strerror (errno));
+      return -1;
+    } else
+      /* closed, normal */
+      return -2;
   }
 
   else if (status == 0) {
@@ -806,6 +816,9 @@
     read_packet = 0;
 
     switch (read_gre (gre)) {
+    case -2:
+      return -2;
+
     case -1:
       return -1;
 
-------------- next part --------------
#!/bin/sh
#
# chkconfig: 345 88 10
# description: Start/Stop pptpd
#

# Source function library.
. /etc/rc.d/init.d/functions

PPTPD=/usr/sbin/pptpd
LOCKF=/var/lock/subsys/radiusd
CONFIG=/etc/pptpd.conf

[ -f $PPTPD ] || exit 0
[ -f $CONFIG ] || exit 0

RETVAL=0

case "$1" in
  start)
	echo -n "Starting pptpd: "
	daemon $PPTPD
	RETVAL=$?
	echo
	[ $RETVAL -eq 0 ] && touch $LOCKF
	;;
  stop)
	echo -n "Stopping pptpd: "
	killproc $PPTPD
	RETVAL=$?
	echo
	[ $RETVAL -eq 0 ] && rm -f $LOCKF
	;;
  restart)
	$0 stop
	sleep 3
	$0 start
	RETVAL=$?
	;;
  condrestart)
	if [ -f $LOCKF ]; then
		$0 stop
		sleep 3
		$0 start
		RETVAL=$?
	fi
	;;
  *)
	echo $"Usage: $0 {start|stop|restart|condrestart}"
	exit 1
esac

exit $RETVAL

More information about the pptp-server mailing list