hoy, I posted this patch some time ago when i released the debian package. Tx anyway :)
J. On Wed, Jul 21, 2004 at 06:16:52PM +0200, Matthias Ferdinand wrote: > Hello, > > I haven't seen anything related to this buffer overflow > on this list, so I am going to post some info: > > Debian advisory: http://www.debian.org/security/2004/dsa-530 > > There is a buffer overflow in l2tpd, in control.c/write_packet(). > > The following diff is from debian woody l2tpd-0.67, but it applies to 0.69 > as well: > > --- l2tpd-0.67.orig/control.c > +++ l2tpd-0.67/control.c > @@ -1575,6 +1575,15 @@ > wbuf[pos++] = e; > for (x = 0; x < buf->len; x++) > { > + // we must at least still have 3 bytes left in the worst > case scenario: > + // 1 for a possible escape, 1 for the value and 1 to end the PPP > stream. > + if(pos >= (sizeof(wbuf) - 4)) { > + if(DEBUG) > + log(LOG_CRIT, "%s: rx packet is too big after PPP encoding > (size %u, max is %u)\n", > + __FUNCTION__, buf->len, MAX_RECV_SIZE); > + return -EINVAL; > + } > + > e = *((char *) buf->start + x); > if ((e < 0x20) || (e == PPP_ESCAPE) || (e == PPP_FLAG)) > { > > Regards / Mit freundlichen Gruessen > Matthias Ferdinand > -- > one4vision GmbH > Goethestrasse 3-5 > D-66121 Saarbr?cken > Tel: +49 681 96727 60 [EMAIL PROTECTED] > Fax: +49 681 96727 69 http://www.one4vision.de > -- -- -> Jean-Francois Dive --> [EMAIL PROTECTED] I think that God in creating Man somewhat overestimated his ability. -- Oscar Wilde
