From 7a5be74f06e5f29e703cce2105ce9d20b18ed6e9 Mon Sep 17 00:00:00 2001
From: "paulus@au1.ibm.com" <paulus@au1.ibm.com>
Date: Tue, 15 Mar 2005 15:38:47 -0800
Subject: [PATCH] [PATCH] CAN-2005-0384: Remote Linux DoS on ppp servers

Martin Schulze writes:

> Ben Martel and Stephen Blackheath have discovered a denial-of-service attack
> that a client of pppd can make that can hang the server machine.  The bug is
> in the Linux kernel 2.6 (tested on 2.6.9), but it looks like it also exists
> in the 2.4 series.

Yes, this is my bug. :(

I would just do this instead:

Signed-off-by: Chris Wright <chrisw@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
 drivers/net/ppp_async.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ppp_async.c b/drivers/net/ppp_async.c
index a48e19391208f..33b9d79b1aada 100644
--- a/drivers/net/ppp_async.c
+++ b/drivers/net/ppp_async.c
@@ -1000,7 +1000,7 @@ static void async_lcp_peek(struct asyncppp *ap, unsigned char *data,
 	data += 4;
 	dlen -= 4;
 	/* data[0] is code, data[1] is length */
-	while (dlen >= 2 && dlen >= data[1]) {
+	while (dlen >= 2 && dlen >= data[1] && data[1] >= 2) {
 		switch (data[0]) {
 		case LCP_MRU:
 			val = (data[2] << 8) + data[3];
-- 
2.47.2