Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 42796 Details for
Bug 69152
net-dialup/ppp: Remote DoS
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
cbcp-dosfix.patch
cbcp-dosfix.patch (text/plain), 3.31 KB, created by
Luke Macken (RETIRED)
on 2004-10-28 12:38:43 UTC
(
hide
)
Description:
cbcp-dosfix.patch
Filename:
MIME Type:
Creator:
Luke Macken (RETIRED)
Created:
2004-10-28 12:38:43 UTC
Size:
3.31 KB
patch
obsolete
>--- ppp-2.4.2/pppd/cbcp.c 2004-10-28 15:14:19.231292272 -0400 >+++ ppp-cvs/pppd/cbcp.c 2004-10-27 20:15:36.000000000 -0400 >@@ -33,7 +33,7 @@ > * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. > */ > >-#define RCSID "$Id: cbcp.c,v 1.15 2003/01/17 07:23:35 fcusack Exp $" >+#define RCSID "$Id: cbcp.c,v 1.16 2004/10/28 00:15:36 paulus Exp $" > > #include <stdio.h> > #include <string.h> >@@ -165,7 +165,8 @@ > inp = inpacket; > > if (pktlen < CBCP_MINLEN) { >- error("CBCP packet is too small"); >+ if (debug) >+ dbglog("CBCP packet is too small"); > return; > } > >@@ -173,12 +174,11 @@ > GETCHAR(id, inp); > GETSHORT(len, inp); > >-#if 0 >- if (len > pktlen) { >- error("CBCP packet: invalid length"); >+ if (len > pktlen || len < CBCP_MINLEN) { >+ if (debug) >+ dbglog("CBCP packet: invalid length %d", len); > return; > } >-#endif > > len -= CBCP_MINLEN; > >@@ -189,11 +189,12 @@ > break; > > case CBCP_RESP: >- dbglog("CBCP_RESP received"); >+ if (debug) >+ dbglog("CBCP_RESP received"); > break; > > case CBCP_ACK: >- if (id != us->us_id) >+ if (debug && id != us->us_id) > dbglog("id doesn't match: expected %d recv %d", > us->us_id, id); > >@@ -312,11 +313,13 @@ > > address[0] = 0; > >- while (len) { >+ while (len >= 2) { > dbglog("length: %d", len); > > GETCHAR(type, pckt); > GETCHAR(opt_len, pckt); >+ if (opt_len < 2 || opt_len > len) >+ break; > > if (opt_len > 2) > GETCHAR(delay, pckt); >@@ -348,6 +351,11 @@ > } > len -= opt_len; > } >+ if (len != 0) { >+ if (debug) >+ dbglog("cbcp_recvreq: malformed packet (%d bytes left)", len); >+ return; >+ } > > cbcp_resp(us); > } >@@ -360,6 +368,7 @@ > u_char buf[256]; > u_char *bufp = buf; > int len = 0; >+ int slen; > > cb_type = us->us_allowed & us->us_type; > dbglog("cbcp_resp cb_type=%d", cb_type); >@@ -371,12 +380,17 @@ > > if (cb_type & ( 1 << CB_CONF_USER ) ) { > dbglog("cbcp_resp CONF_USER"); >+ slen = strlen(us->us_number); >+ if (slen > 250) { >+ warn("callback number truncated to 250 characters"); >+ slen = 250; >+ } > PUTCHAR(CB_CONF_USER, bufp); >- len = 3 + 1 + strlen(us->us_number) + 1; >+ len = 3 + 1 + slen + 1; > PUTCHAR(len , bufp); > PUTCHAR(5, bufp); /* delay */ > PUTCHAR(1, bufp); >- BCOPY(us->us_number, bufp, strlen(us->us_number) + 1); >+ BCOPY(us->us_number, bufp, slen + 1); > cbcp_send(us, CBCP_RESP, buf, len); > return; > } >@@ -438,25 +452,29 @@ > int opt_len; > char address[256]; > >- if (len) { >+ if (len >= 2) { > GETCHAR(type, pckt); > GETCHAR(opt_len, pckt); >+ if (opt_len >= 2 && opt_len <= len) { > >- if (opt_len > 2) >- GETCHAR(delay, pckt); >+ if (opt_len > 2) >+ GETCHAR(delay, pckt); > >- if (opt_len > 4) { >- GETCHAR(addr_type, pckt); >- memcpy(address, pckt, opt_len - 4); >- address[opt_len - 4] = 0; >- if (address[0]) >- dbglog("peer will call: %s", address); >- } >- if (type == CB_CONF_NO) >- return; >- } >+ if (opt_len > 4) { >+ GETCHAR(addr_type, pckt); >+ memcpy(address, pckt, opt_len - 4); >+ address[opt_len - 4] = 0; >+ if (address[0]) >+ dbglog("peer will call: %s", address); >+ } >+ if (type == CB_CONF_NO) >+ return; > >- cbcp_up(us); >+ cbcp_up(us); >+ >+ } else if (debug) >+ dbglog("cbcp_recvack: malformed packet"); >+ } > } > > /* ok peer will do callback */
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 69152
: 42796 |
42906