First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 53009
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Sune Kloppenborg Jeppesen <jaervosz@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 53009 depends on: Show dependency tree
Bug 53009 blocks:
Votes: 0    Show votes for this bug    Vote for this bug

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2004-06-04 13:37 0000 
Just posted on FD not sure if it is real or not. Opening a bug so we can keep
track of it.

Ripped directly from mail:

All versions of l2tpd contain a bss-based buffer overflow. After
circumventing some minor obstacles (i.e., faking a L2TP tunnel
establishment) the overflow can be triggered by sending a specially
crafted packet.

The crucial code can be found in write_packet() in control.c:

    static unsigned char wbuf[MAX_RECV_SIZE];
    int pos = 0;
    [..]
    e = PPP_FLAG;
    wbuf[pos++] = e;
    for (x = 0; x < buf->len; x++)
    {
        e = *((char *) buf->start + x);
        if ((e < 0x20) || (e == PPP_ESCAPE) || (e == PPP_FLAG))
        {
            /* Escape this */
            e = e ^ 0x20;
            wbuf[pos++] = PPP_ESCAPE;
        }
        wbuf[pos++] = e;

    }
    wbuf[pos++] = PPP_FLAG;

Nota bene: buf->len can be upto 4080 = 4096 (=: MAX_RECV_SIZE) - 16.

It might be hard or even impossible to exploit this buffer overflow.

Thomas Walpuski

------- Comment #1 From Thierry Carrez (RETIRED) 2004-06-15 12:49:20 0000 ------- 
A few more pointers :

Debian has an open bug about it at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=252973
and osvdb a reference at http://www.osvdb.org/6726

It's still unconfirmed, though.

------- Comment #2 From Thierry Carrez (RETIRED) 2004-07-11 07:10:07 0000 ------- 
Debian issued a fixed package, so we can assume there is a bug, even if it's
difficult to exploit. 

The fix appears in the diff file at :
http://http.us.debian.org/debian/pool/main/l/l2tpd/l2tpd_0.70-pre20031121-2.diff.gz
but it's applied to a 0.70_pre version they got from l2tpd repository. It might
be sufficient to take the following and apply it to control.c :

------------------------------------------------
     wbuf[pos++] = e;
     for (x = 0; x < buf->len; x++)
     {
+               // we must at least still have 4 bytes left in the worst case
scenario:
+               // 1 for a possible escape, 1 for the value and 1 to end the
PPP stream.
+               if(pos >= (sizeof(wbuf) - 4)) {
+                       if(DEBUG)
+                               log(LOG_CRIT, "%s: rx packet is too big after
PPP encoding (size %u, max is %u)\n", 
+                                                       __FUNCTION__, buf->len,
MAX_RECV_SIZE);
+                       return -EINVAL;
+               }
         e = *((char *) buf->start + x);
         if ((e < 0x20) || (e == PPP_ESCAPE) || (e == PPP_FLAG))
         {
---------------------------------------------

but I think someone from net-dialup should investigate the Debian diff further
and see what can be done.

------- Comment #3 From Kurt Lieber 2004-07-16 07:28:40 0000 ------- 
sent email directly to lanius and ferringb (members of the net-dialup herd)

will mask in portage if no action in 48 hours.

------- Comment #4 From Heinrich Wendel (RETIRED) 2004-07-20 10:23:53 0000 ------- 
added patch to -r2 and marked stable on x86

------- Comment #5 From Kurt Lieber 2004-07-22 05:09:42 0000 ------- 
glsa 200407-17
First Last Prev Next    No search results available      Search page      Enter new bug