From 690e09ba5711a1637f0770bb93714a568715a309 Mon Sep 17 00:00:00 2001
From: Tassilo Schweyer <dev@welterde.de>
Date: Mon, 5 May 2025 03:15:26 +0200
Subject: [PATCH 1/2] Initialize memory so we get zero-terminated string

---
 l2tpns.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/l2tpns.c b/l2tpns.c
index f5ccff9..53011b2 100644
--- a/l2tpns.c
+++ b/l2tpns.c
@@ -4715,6 +4715,7 @@ void processudp(uint8_t *buf, int len, struct sockaddr_in *addr, uint16_t indexu
 					{
 						if (n <= sizeof(authresp))
 						{
+						  memset(authresp, 0, sizeof(authresp));
 							memcpy(authresp, b, n);
 							authrespn = n;
 							LOG(4, s, t, "   Proxy Auth Response\n");

From 702ed1ec72a8e6932ba35f4992b2b77eb5a84daa Mon Sep 17 00:00:00 2001
From: Tassilo Schweyer <dev@welterde.de>
Date: Mon, 5 May 2025 03:15:52 +0200
Subject: [PATCH 2/2] Quick fix to at least decode slightly larger hidden AVPs
 correctly

---
 l2tpns.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/l2tpns.c b/l2tpns.c
index 53011b2..7938d90 100644
--- a/l2tpns.c
+++ b/l2tpns.c
@@ -8620,6 +8620,10 @@ static void unhide_value(uint8_t *value, size_t len, uint16_t type, uint8_t *vec
 	size_t d = 0;
 	uint16_t m = htons(type);
 
+	// remember first block
+	uint8_t firstcipher[16];
+	memcpy(firstcipher, value, 16);
+
 	// Compute initial pad
 	MD5_Init(&ctx);
 	MD5_Update(&ctx, (unsigned char *) &m, 2);
@@ -8637,7 +8641,7 @@ static void unhide_value(uint8_t *value, size_t len, uint16_t type, uint8_t *vec
 		{
 			MD5_Init(&ctx);
 			MD5_Update(&ctx, config->l2tp_secret, strlen(config->l2tp_secret));
-			MD5_Update(&ctx, last, sizeof(digest));
+			MD5_Update(&ctx, firstcipher, sizeof(digest));
 			MD5_Final(digest, &ctx);
 
 			d = 0;