l2tpd determines the size of a string buffer with strlen instead of sizeof, on a potentially uninitialized pointer. It's pure luck if /var/run/l2tpd.pid contains the PID (it does not for me). Seen with 0.69-r1. Fix: --- l2tpd.c.orig 2004-06-19 23:16:21.000000000 +0200 +++ l2tpd.c 2004-06-20 00:47:41.000000000 +0200 @@ -1036,7 +1036,7 @@ if(! pidfilewritten) { unlink(gconfig.pidfile); if ((i = open (gconfig.pidfile, O_WRONLY | O_CREAT, 0640)) >= 0) { - snprintf (buf, strlen(buf), "%d\n", (int)getpid()); + snprintf (buf, sizeof(buf), "%d\n", (int)getpid()); write (i, buf, strlen(buf)); close (i); pidfilewritten = 1; Reproducible: Always Steps to Reproduce:
According to Jacco de Leeuw, Debian has additional patches that fix this bug and more. Might be worth a look.
On my box, only the first 4 digits of the pid are written into the file. When the service is stopped, it might happen that the *wrong process* is killed!! For me, this looks like a pretty severe problem.
Same problem as Michel Wilson, only first 4 digits of the pid are stored, so if you start l2tp and the pid is 5 digits, start-stop-daemon isn't able to stop it.
Created attachment 39530 [details] l2tpd-0.70_pre20031121.ebuild This ebuild is based on Debian's unstable version (http://packages.debian.org/unstable/net/l2tpd).
commited l2tpd-0.70_pre20031121.ebuild, please test this one