[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#299875: ppp: out-of-memory 30min after "LCP terminated by peer"

reassign 299875 kernel
retitle 299875 CAN-2005-0384: Remote Linux DoS on ppp servers
tag 299875 patch security
thanks

Paul Mackerras says that this bug affects all kernels (2.4 and 2.6) and
can be easily triggered remotely, but is only a CPU DoS.

from 2.6.11.4:

diff -Nru a/drivers/net/ppp_async.c b/drivers/net/ppp_async.c
--- a/drivers/net/ppp_async.c   2005-03-15 16:09:59 -08:00
+++ b/drivers/net/ppp_async.c   2005-03-15 16:09:59 -08:00
@@ -1000,7 +1000,7 @@
        data += 4;
        dlen -= 4;
        /* data[0] is code, data[1] is length */
-       while (dlen >= 2 && dlen >= data[1]) {
+       while (dlen >= 2 && dlen >= data[1] && data[1] >= 2) {
                switch (data[0]) {
                case LCP_MRU:
                        val = (data[2] << 8) + data[3];

-- 
ciao,
Marco

Attachment: signature.asc
Description: Digital signature

Reply to: