Re: Bug#299875: ppp: out-of-memory 30min after "LCP terminated by peer"

Marco d'Itri Thu, 17 Mar 2005 01:52:26 -0800

reassign 299875 kernel
retitle 299875 CAN-2005-0384: Remote Linux DoS on ppp servers
tag 299875 patch security
thanks


Paul Mackerras says that this bug affects all kernels (2.4 and 2.6) and
can be easily triggered remotely, but is only a CPU DoS.

from 2.6.11.4:

diff -Nru a/drivers/net/ppp_async.c b/drivers/net/ppp_async.c
--- a/drivers/net/ppp_async.c   2005-03-15 16:09:59 -08:00
+++ b/drivers/net/ppp_async.c   2005-03-15 16:09:59 -08:00
@@ -1000,7 +1000,7 @@
        data += 4;
        dlen -= 4;
        /* data[0] is code, data[1] is length */
-       while (dlen >= 2 && dlen >= data[1]) {
+       while (dlen >= 2 && dlen >= data[1] && data[1] >= 2) {
                switch (data[0]) {
                case LCP_MRU:
                        val = (data[2] << 8) + data[3];

-- 
ciao,
Marco

signature.asc
Description: Digital signature

Re: Bug#299875: ppp: out-of-memory 30min after "LCP terminated by peer"

Reply via email to