The sppp_pap_input() function in OpenBSD's PPP PAP authentication handler allows attackers to bypass authentication by sending a PAP Auth-Request with zero-length name and password fields. The bcmp() function returns 0 for zero-length comparisons, enabling credentialless authentication. A secondary heap over-read vulnerability exists when name_len exceeds the allocated credential buffer size.
| Vendor | Product | Versions |
|---|---|---|
| openbsd | openbsd sppp pap handler | <= 7.6 |
