From: paulus@au1.ibm.com <paulus@au1.ibm.com>
Date: Tue, 15 Mar 2005 23:38:47 +0000 (-0800)
Subject: [PATCH] CAN-2005-0384: Remote Linux DoS on ppp servers
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7a5be74f06e5f29e703cce2105ce9d20b18ed6e9;p=thirdparty%2Fkernel%2Fstable.git

[PATCH] CAN-2005-0384: Remote Linux DoS on ppp servers

Martin Schulze writes:

> Ben Martel and Stephen Blackheath have discovered a denial-of-service attack
> that a client of pppd can make that can hang the server machine.  The bug is
> in the Linux kernel 2.6 (tested on 2.6.9), but it looks like it also exists
> in the 2.4 series.

Yes, this is my bug. :(

I would just do this instead:

Signed-off-by: Chris Wright <chrisw@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

diff --git a/drivers/net/ppp_async.c b/drivers/net/ppp_async.c
index a48e19391208f..33b9d79b1aada 100644
--- a/drivers/net/ppp_async.c
+++ b/drivers/net/ppp_async.c
@@ -1000,7 +1000,7 @@ static void async_lcp_peek(struct asyncppp *ap, unsigned char *data,
 	data += 4;
 	dlen -= 4;
 	/* data[0] is code, data[1] is length */
-	while (dlen >= 2 && dlen >= data[1]) {
+	while (dlen >= 2 && dlen >= data[1] && data[1] >= 2) {
 		switch (data[0]) {
 		case LCP_MRU:
 			val = (data[2] << 8) + data[3];