From c7b375bf2754c8ddb1dffd5f75b011a080b9d634 Mon Sep 17 00:00:00 2001
From: "chrisw@osdl.org" <chrisw@osdl.org>
Date: Tue, 15 Mar 2005 15:15:35 -0800
Subject: [PATCH] [PATCH] add pppd-DoS-fix.patch and
 use-strncpy-in-get_task_comm.patch

---
 queue/pppd-DoS-fix.patch                 | 33 ++++++++++++++++++++++++
 queue/use-strncpy-in-get_task_comm.patch | 30 +++++++++++++++++++++
 2 files changed, 63 insertions(+)
 create mode 100644 queue/pppd-DoS-fix.patch
 create mode 100644 queue/use-strncpy-in-get_task_comm.patch

diff --git a/queue/pppd-DoS-fix.patch b/queue/pppd-DoS-fix.patch
new file mode 100644
index 00000000000..f4e8278b5f1
--- /dev/null
+++ b/queue/pppd-DoS-fix.patch
@@ -0,0 +1,33 @@
+From: Paul Mackerras <paulus@au1.ibm.com>
+To: Martin Schulze <joey@infodrom.org>
+Cc: Free Software Distribution Vendors <vendor-sec@lst.de>,
+        Marcelo Tosatti <marcelo.tosatti@cyclades.com>
+Subject: [PATCH] CAN-2005-0384: Remote Linux DoS on ppp servers
+Date: Fri, 25 Feb 2005 13:48:50 +1100
+
+Martin Schulze writes:
+
+> Ben Martel and Stephen Blackheath have discovered a denial-of-service attack
+> that a client of pppd can make that can hang the server machine.  The bug is
+> in the Linux kernel 2.6 (tested on 2.6.9), but it looks like it also exists
+> in the 2.4 series.
+
+Yes, this is my bug. :(
+
+I would just do this instead:
+
+Signed-off-by: Chris Wright <chrisw@osdl.org>
+
+diff -urN linux-2.5/drivers/net/ppp_async.c test/drivers/net/ppp_async.c
+--- linux-2.5/drivers/net/ppp_async.c	2005-01-21 16:02:12.000000000 +1100
++++ test/drivers/net/ppp_async.c	2005-02-25 10:38:05.000000000 +1100
+@@ -1000,7 +1000,7 @@
+ 	data += 4;
+ 	dlen -= 4;
+ 	/* data[0] is code, data[1] is length */
+-	while (dlen >= 2 && dlen >= data[1]) {
++	while (dlen >= 2 && dlen >= data[1] && data[1] >= 2) {
+ 		switch (data[0]) {
+ 		case LCP_MRU:
+ 			val = (data[2] << 8) + data[3];
+
diff --git a/queue/use-strncpy-in-get_task_comm.patch b/queue/use-strncpy-in-get_task_comm.patch
new file mode 100644
index 00000000000..ac7d79aec7b
--- /dev/null
+++ b/queue/use-strncpy-in-get_task_comm.patch
@@ -0,0 +1,30 @@
+Date: Tue, 15 Mar 2005 14:30:46 -0800
+From: akpm@osdl.org
+To: torvalds@osdl.org
+Cc: akpm@osdl.org, pmeda@akamai.com
+Subject: [patch] use strncpy in get_task_comm
+
+From: Prasanna Meda <pmeda@akamai.com>
+
+Set_task_comm uses strlcpy, so get_task_comm must use strncpy.
+
+Signed-Off-by: Prasanna Meda <pmeda@akamai.com>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Chris Wright <chrisw@osdl.org>
+---
+
+ 25-akpm/fs/exec.c |    2 +-
+ 1 files changed, 1 insertion(+), 1 deletion(-)
+
+diff -puN fs/exec.c~use-strncpy-in-get_task_comm fs/exec.c
+--- 25/fs/exec.c~use-strncpy-in-get_task_comm	Tue Mar 15 14:30:28 2005
++++ 25-akpm/fs/exec.c	Tue Mar 15 14:30:28 2005
+@@ -815,7 +815,7 @@ void get_task_comm(char *buf, struct tas
+ {
+ 	/* buf must be at least sizeof(tsk->comm) in size */
+ 	task_lock(tsk);
+-	memcpy(buf, tsk->comm, sizeof(tsk->comm));
++	strncpy(buf, tsk->comm, sizeof(tsk->comm));
+ 	task_unlock(tsk);
+ }
+ 
-- 
2.47.3