[PATCH] CAN-2005-0384: Remote Linux DoS on ppp servers

Martin Schulze writes: > Ben Martel and Stephen Blackheath have discovered a denial-of-service attack > that a client of pppd can make that can hang the server machine. The bug is > in the Linux kernel 2.6 (tested on 2.6.9), but it looks like it also exists > in the 2.4 series. Yes, this is my bug. :( I would just do this instead: Signed-off-by: Chris Wright <chrisw@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

[PATCH] CAN-2005-0384: Remote Linux DoS on ppp servers
Martin Schulze writes: > Ben Martel and Stephen Blackheath have discovered a denial-of-service attack > that a client of pppd can make that can hang the server machine. The bug is > in the Linux kernel 2.6 (tested on 2.6.9), but it looks like it also exists > in the 2.4 series. Yes, this is my bug. :( I would just do this instead: Signed-off-by: Chris Wright <chrisw@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2b68239f · Paul Mackerras · Greg Kroah-Hartman · 542d0e2a · 2b68239f
Commit 2b68239f authored Mar 14, 2005 by Paul Mackerras Committed by Greg Kroah-Hartman Mar 14, 2005
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

drivers/net/ppp_async.c drivers/net/ppp_async.c +1 -1

No files found.
--- a/drivers/net/ppp_async.c
+++ b/drivers/net/ppp_async.c
@@ -1000,7 +1000,7 @@ static void async_lcp_peek(struct asyncppp *ap, unsigned char *data,
 	data += 4;
 	dlen -= 4;
 	/* data[0] is code, data[1] is length */
-	while (dlen >= 2 && dlen >= data[1]) {
+	while (dlen >= 2 && dlen >= data[1] && data[1] >= 2) {
 		switch (data[0]) {
 		case LCP_MRU:
 			val = (data[2] << 8) + data[3];