[PATCH] add pppd-DoS-fix.patch and use-strncpy-in-get_task_comm.patch

diff --git a/queue/pppd-DoS-fix.patch b/queue/pppd-DoS-fix.patch
new file mode 100644 (file)
index 0000000..f4e8278
--- /dev/null
+++ b/queue/pppd-DoS-fix.patch
@@ -0,0 +1,33 @@
+From: Paul Mackerras <paulus@au1.ibm.com>
+To: Martin Schulze <joey@infodrom.org>
+Cc: Free Software Distribution Vendors <vendor-sec@lst.de>,
+        Marcelo Tosatti <marcelo.tosatti@cyclades.com>
+Subject: [PATCH] CAN-2005-0384: Remote Linux DoS on ppp servers
+Date: Fri, 25 Feb 2005 13:48:50 +1100
+
+Martin Schulze writes:
+
+> Ben Martel and Stephen Blackheath have discovered a denial-of-service attack
+> that a client of pppd can make that can hang the server machine.  The bug is
+> in the Linux kernel 2.6 (tested on 2.6.9), but it looks like it also exists
+> in the 2.4 series.
+
+Yes, this is my bug. :(
+
+I would just do this instead:
+
+Signed-off-by: Chris Wright <chrisw@osdl.org>
+
+diff -urN linux-2.5/drivers/net/ppp_async.c test/drivers/net/ppp_async.c
+--- linux-2.5/drivers/net/ppp_async.c  2005-01-21 16:02:12.000000000 +1100
++++ test/drivers/net/ppp_async.c       2005-02-25 10:38:05.000000000 +1100
+@@ -1000,7 +1000,7 @@
+       data += 4;
+       dlen -= 4;
+       /* data[0] is code, data[1] is length */
+-      while (dlen >= 2 && dlen >= data[1]) {
++      while (dlen >= 2 && dlen >= data[1] && data[1] >= 2) {
+               switch (data[0]) {
+               case LCP_MRU:
+                       val = (data[2] << 8) + data[3];
+

diff --git a/queue/use-strncpy-in-get_task_comm.patch b/queue/use-strncpy-in-get_task_comm.patch
new file mode 100644 (file)
index 0000000..ac7d79a
--- /dev/null
+++ b/queue/use-strncpy-in-get_task_comm.patch
@@ -0,0 +1,30 @@
+Date: Tue, 15 Mar 2005 14:30:46 -0800
+From: akpm@osdl.org
+To: torvalds@osdl.org
+Cc: akpm@osdl.org, pmeda@akamai.com
+Subject: [patch] use strncpy in get_task_comm
+
+From: Prasanna Meda <pmeda@akamai.com>
+
+Set_task_comm uses strlcpy, so get_task_comm must use strncpy.
+
+Signed-Off-by: Prasanna Meda <pmeda@akamai.com>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Chris Wright <chrisw@osdl.org>
+---
+
+ 25-akpm/fs/exec.c |    2 +-
+ 1 files changed, 1 insertion(+), 1 deletion(-)
+
+diff -puN fs/exec.c~use-strncpy-in-get_task_comm fs/exec.c
+--- 25/fs/exec.c~use-strncpy-in-get_task_comm  Tue Mar 15 14:30:28 2005
++++ 25-akpm/fs/exec.c  Tue Mar 15 14:30:28 2005
+@@ -815,7 +815,7 @@ void get_task_comm(char *buf, struct tas
+ {
+       /* buf must be at least sizeof(tsk->comm) in size */
+       task_lock(tsk);
+-      memcpy(buf, tsk->comm, sizeof(tsk->comm));
++      strncpy(buf, tsk->comm, sizeof(tsk->comm));
+       task_unlock(tsk);
+ }
+