CVE-2023-41102
Description
An issue was discovered in the captive portal in OpenNDS before version 10.1.3. It has multiple memory leaks due to not freeing up allocated memory. This may lead to a Denial-of-Service condition due to the consumption of all available memory. Affected OpenNDS before version 10.1.3 fixed in OpenWrt master and OpenWrt 23.05 on 23. November by updating OpenNDS to version 10.2.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Memory leaks in OpenNDS captive portal before version 10.1.3 can lead to denial of service by exhausting available memory.
Vulnerability
Multiple memory leaks exist in the captive portal of OpenNDS before version 10.1.3. The leaks occur because allocated memory is not freed in various code paths, including when passing buffers into safe_asprintf() and during client list management. Affected versions are OpenNDS prior to 10.1.3 [1][2].
Exploitation
An attacker with network access to the captive portal can trigger the memory leaks by sending requests that cause memory allocation without subsequent deallocation. No authentication is required. Repeated exploitation over time exhausts all available memory, resulting in a denial-of-service condition [1].
Impact
Successful exploitation leads to a denial of service due to memory exhaustion, rendering the captive portal and potentially the entire device unresponsive [1].
Mitigation
The issue is fixed in OpenNDS version 10.1.3, released on August 28, 2023 [1]. OpenWrt updated to version 10.2.0 on November 23, 2023 [3]. Users should upgrade to the latest version. No workaround is disclosed in the available references [1][3].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4- OpenNDS/OpenNDSdescription
- osv-coords2 versionspkg:deb/ubuntu/opennds@10.2.0+dfsg-1build2?arch=source&distro=noblepkg:deb/ubuntu/opennds@10.2.0+dfsg-1build2?arch=source&distro=oracular
>= 0+ 1 more
- (no CPE)range: >= 0
- (no CPE)range: >= 0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing free() calls for several allocated client struct fields, and a missing allocation check for cpi_query, causing memory leaks when clients are reset or removed from the client list."
Attack vector
An attacker can repeatedly connect and disconnect from the captive portal, triggering client_reset() and _client_list_free_node() on the OpenNDS gateway [ref_id=1]. Each cycle leaks memory because fields such as token, hid, custom, client_type, cid, and cpi_query are not freed before the client struct is reused or deallocated [ref_id=1]. Over time, the accumulated leaks exhaust all available memory on the gateway, leading to a Denial-of-Service condition. No authentication is required; the attacker only needs network access to the captive portal interface.
Affected code
The functions client_reset() and _client_list_free_node() in the OpenNDS captive portal code are affected [ref_id=1]. In client_reset(), the cpi_query field was not allocated before use. In _client_list_free_node(), the fields token, hid, custom, client_type, cid, and cpi_query were not freed before the client struct was freed [ref_id=1].
What the fix does
The patch adds missing free() calls for client->token, client->hid, client->custom, client->client_type, and client->cid inside _client_list_free_node() [ref_id=1]. It also moves the client->cid allocation inside the if-block so it is only called when cid was not previously set, and adds a conditional allocation for client->cpi_query in client_reset() to prevent a NULL-pointer dereference [ref_id=1]. These changes ensure all dynamically allocated memory is properly released when a client entry is freed or reset, closing the memory leaks.
Preconditions
- networkAttacker must have network access to the OpenNDS captive portal interface.
- authNo authentication required; the captive portal is publicly reachable.
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/openNDS/openNDS/commit/31dbf4aa069c5bb39a7926d86036ce3b04312b51mitre
- github.com/openNDS/openNDS/releases/tag/v10.1.3mitre
- github.com/openwrt/routing/commit/ad787a920ccb9dacf5b01d52bce36ac14a5ecd89mitre
- source.sierrawireless.com/resources/security-bulletins/sierra-wireless-technical-bulletin---swi-psa-2023-006-v4/mitre
News mentions
0No linked articles in our index yet.