Just posted on FD not sure if it is real or not. Opening a bug so we can keep track of it. Ripped directly from mail: All versions of l2tpd contain a bss-based buffer overflow. After circumventing some minor obstacles (i.e., faking a L2TP tunnel establishment) the overflow can be triggered by sending a specially crafted packet. The crucial code can be found in write_packet() in control.c: static unsigned char wbuf[MAX_RECV_SIZE]; int pos = 0; [..] e = PPP_FLAG; wbuf[pos++] = e; for (x = 0; x < buf->len; x++) { e = *((char *) buf->start + x); if ((e < 0x20) || (e == PPP_ESCAPE) || (e == PPP_FLAG)) { /* Escape this */ e = e ^ 0x20; wbuf[pos++] = PPP_ESCAPE; } wbuf[pos++] = e; } wbuf[pos++] = PPP_FLAG; Nota bene: buf->len can be upto 4080 = 4096 (=: MAX_RECV_SIZE) - 16. It might be hard or even impossible to exploit this buffer overflow. Thomas Walpuski
A few more pointers : Debian has an open bug about it at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=252973 and osvdb a reference at http://www.osvdb.org/6726 It's still unconfirmed, though.
Debian issued a fixed package, so we can assume there is a bug, even if it's difficult to exploit. The fix appears in the diff file at : http://http.us.debian.org/debian/pool/main/l/l2tpd/l2tpd_0.70-pre20031121-2.diff.gz but it's applied to a 0.70_pre version they got from l2tpd repository. It might be sufficient to take the following and apply it to control.c : ------------------------------------------------ wbuf[pos++] = e; for (x = 0; x < buf->len; x++) { + // we must at least still have 4 bytes left in the worst case scenario: + // 1 for a possible escape, 1 for the value and 1 to end the PPP stream. + if(pos >= (sizeof(wbuf) - 4)) { + if(DEBUG) + log(LOG_CRIT, "%s: rx packet is too big after PPP encoding (size %u, max is %u)\n", + __FUNCTION__, buf->len, MAX_RECV_SIZE); + return -EINVAL; + } e = *((char *) buf->start + x); if ((e < 0x20) || (e == PPP_ESCAPE) || (e == PPP_FLAG)) { --------------------------------------------- but I think someone from net-dialup should investigate the Debian diff further and see what can be done.
sent email directly to lanius and ferringb (members of the net-dialup herd) will mask in portage if no action in 48 hours.
added patch to -r2 and marked stable on x86
glsa 200407-17
wbuf[pos++] = e; for (x = 0; x < buf->len; x++) { + // we must at least still have 4 bytes left in the worst case scenario: + // 1 for a possible escape, 1 for the value and 1 to end the PPP stream. + if(pos >= (sizeof(wbuf) - 4)) { + if(DEBUG) While I agree that someone from net-dialup should look at http://www.osvdb.org/6726https://phrazle.co the Debian diff and see what might be done, I don't know who would take up this task.
