On Wed, 18 Sep 2002, Tim Woodall wrote:
> On Tue, 17 Sep 2002, Paolo 'Garrone' Prandoni wrote:
>
> > Answering to Alex question my ISP is called Elitel which basically uses
> > Telecom Italia phone lines to provide ADSL connections.
> >
> > Tim: about bugs into atm.c and pppoa3.c can you provide me source files
> > corrected ? (I am sorry but I don't know C language....!!!!!!!!!!)
> > Thanks to all
> > Paolo
> >
>
> Thursday Evening I can do this provided I don't end up upgrading a server
> that night. (It's going to be Thursday or Friday night)
>
>
OK. To the CVS authors, here is a patch:
First two hunks fix the reported coredump where the last cell in the
buffer is bad and pti then holds an invalid value.
Next hunk (length<6) is a sanity check and would also have prevented
the reported coredump.
Fourth hunk (security fix) is one that has been bugging me for a long
time. It is unlikely to happen by accident because the CRC has to be
correct but the length invalid. The test is the losest that is sufficient.
It may be possible to tighten this test but I don't think it is worth
it unless someone is going to log this event.
Final hunk (pppoa3 - there may be a matching fix needed in pppoa2?)
prevents processing of the oversized cell that we have already flagged
as bad (because -1 is TRUE)!
I don't know how important the CVS history is and whether you want
to apply as several packages or just one.
... quickly runs of to check it still builds :-)
Regards,
Tim.
Index: atm.c
===================================================================
RCS file: /cvsroot/speedtouch/speedtouch/src/atm.c,v
retrieving revision 1.6
diff -u -r1.6 atm.c
--- atm.c 21 Mar 2002 23:35:43 -0000 1.6
+++ atm.c 19 Sep 2002 18:07:25 -0000
@@ -329,6 +329,7 @@
atm_header_get_pti(src));
src += ATM_CELL_TOTAL_SIZE;
length -= ATM_CELL_TOTAL_SIZE;
+ pti = 0; /* Reset pti because this could be the last cell
+in the buffer */
continue;
}
@@ -343,6 +344,7 @@
report(0, REPORT_DEBUG|REPORT_DATE|REPORT_DUMP, "Management
cell in stream (OAM)\n", src, ATM_CELL_TOTAL_SIZE);
src += ATM_CELL_TOTAL_SIZE;
length -= ATM_CELL_TOTAL_SIZE;
+ pti = 0; /* Reset pti because this could be the last cell
+in the buffer */
continue;
}
@@ -384,6 +386,8 @@
int real_length;
unsigned int frame_crc, computed_crc;
+ if(length < 6)
+ return(-1);
/* CRC checking */
computed_crc = ~aal5_calc_crc(frame, length - 4, ~0);
@@ -395,6 +399,10 @@
/* Find the real len */
real_length = (((int)frame[length - 6])<<8)|((int)frame[length - 5]);
+
+ if(real_length > length)
+ /* This is most likely a deliberate hack attempt - perhaps we ought to
+log this??? */
+ return(-1);
/* Copy the data */
if(data != frame)
Index: pppoa3.c
===================================================================
RCS file: /cvsroot/speedtouch/speedtouch/src/pppoa3.c,v
retrieving revision 1.24
diff -u -r1.24 pppoa3.c
--- pppoa3.c 18 May 2002 19:54:46 -0000 1.24
+++ pppoa3.c 19 Sep 2002 18:07:27 -0000
@@ -867,6 +867,7 @@
/* A buffer overflow has been detected */
if(pti<0) {
report(0, REPORT_ERROR|REPORT_DATE, "Buffer overflow, too many
cells for the same aal5 frame\n");
+ pti = 0;
}
/* As the last pti is 1, we have to send the aal5_frame data */
--
God said, "div D = rho, div B = 0, curl E = - @B/@t, curl H = J + @D/@t,"
and there was light.
http://tjw.hn.org/ http://www.locofungus.btinternet.co.uk/
Liste de diffusion modem ALCATEL SpeedTouch USB
Pour se d�sinscrire : mailto:[EMAIL PROTECTED]?subject=unsubscribe
