Hello,
I haven't seen anything related to this buffer overflow on this list, so I am going to post some info:
Debian advisory: http://www.debian.org/security/2004/dsa-530
There is a buffer overflow in l2tpd, in control.c/write_packet().
The following diff is from debian woody l2tpd-0.67, but it applies to 0.69 as well:
--- l2tpd-0.67.orig/control.c
+++ l2tpd-0.67/control.c
@@ -1575,6 +1575,15 @@
wbuf[pos++] = e;
for (x = 0; x < buf->len; x++)
{
+ // we must at least still have 3 bytes left in the worst case scenario:
+ // 1 for a possible escape, 1 for the value and 1 to end the PPP stream.
+ if(pos >= (sizeof(wbuf) - 4)) {
+ if(DEBUG)
+ log(LOG_CRIT, "%s: rx packet is too big after PPP encoding (size %u, max is %u)\n",
+ __FUNCTION__, buf->len, MAX_RECV_SIZE);
+ return -EINVAL;
+ }
+
e = *((char *) buf->start + x);
if ((e < 0x20) || (e == PPP_ESCAPE) || (e == PPP_FLAG))
{
Regards / Mit freundlichen Gruessen Matthias Ferdinand -- one4vision GmbH Goethestrasse 3-5 D-66121 Saarbrücken Tel: +49 681 96727 60 [EMAIL PROTECTED] Fax: +49 681 96727 69 http://www.one4vision.de
