Re: Bug#299875: ppp: out-of-memory 30min after "LCP terminated by peer"
- To: Justin Pryzby <justinpryzby@users.sourceforge.net>, 299875@bugs.debian.org, team@security.debian.org, debian-kernel@lists.debian.org, control@bugs.debian.org
- Cc: Christian <evil@g-house.de>
- Subject: Re: Bug#299875: ppp: out-of-memory 30min after "LCP terminated by peer"
- From: md@Linux.IT (Marco d'Itri)
- Date: Thu, 17 Mar 2005 10:51:41 +0100
- Message-id: <[🔎] 20050317095141.GC6491@wonderland.linux.it>
- Mail-followup-to: md@Linux.IT, Justin Pryzby <justinpryzby@users.sourceforge.net>, 299875@bugs.debian.org, team@security.debian.org, debian-kernel@lists.debian.org, control@bugs.debian.org, Christian <evil@g-house.de>
- In-reply-to: <20050317070919.GA4513@andromeda>
- References: <E1DBkDw-00050l-GQ@mail.housecafe.de> <20050317070919.GA4513@andromeda>
reassign 299875 kernel
retitle 299875 CAN-2005-0384: Remote Linux DoS on ppp servers
tag 299875 patch security
thanks
Paul Mackerras says that this bug affects all kernels (2.4 and 2.6) and
can be easily triggered remotely, but is only a CPU DoS.
from 2.6.11.4:
diff -Nru a/drivers/net/ppp_async.c b/drivers/net/ppp_async.c
--- a/drivers/net/ppp_async.c 2005-03-15 16:09:59 -08:00
+++ b/drivers/net/ppp_async.c 2005-03-15 16:09:59 -08:00
@@ -1000,7 +1000,7 @@
data += 4;
dlen -= 4;
/* data[0] is code, data[1] is length */
- while (dlen >= 2 && dlen >= data[1]) {
+ while (dlen >= 2 && dlen >= data[1] && data[1] >= 2) {
switch (data[0]) {
case LCP_MRU:
val = (data[2] << 8) + data[3];
--
ciao,
Marco
Attachment:
signature.asc
Description: Digital signature
Reply to: