[pptp-server] Kernel oops with 2.4.18 + mppe -- patch included

Thorvald Natvig thorvald at natvig.com
Sun Mar 24 08:48:59 CST 2002 

Hi,

I recently upgraded from 2.2.19 to 2.4.18 for our main VPN server. I
downloaded the stock 2.4.18 kernel and applied the mppe-openssl patch
for 2.4.16 I found on http://mirror.binarix.com

Unfortunately, this combination has a crash bug. The remote end client
will occationally send packets that are larger than the MRU. The mppe
decompressor doesn't check the size of it's output buffer... This
results in it both overwriting a few buffers and returning a
decompressed length longer than 'osize', which makes the skb_put call in
ppp_generic:decompress_frame produce an kernel oops.

I haven't had time to properly investigate the problem, but I noticed
that 2.2.19 allocates a few bytes extra for it's decompression buffer,
so I just copied that trick and added a quick and dirty osize check to
the mppe module.

If someone else has already fixed this and made a more proper patch,
please let me know ;)

Patch:

--- drivers/net/ppp_generic.c.prefix	Sun Mar 24 15:31:44 2002
+++ drivers/net/ppp_generic.c	Sun Mar 24 14:57:12 2002
@@ -1519,14 +1519,14 @@
 	int len;
 
 	if (proto == PPP_COMP) {
-		ns = dev_alloc_skb(ppp->mru + PPP_HDRLEN);
+		ns = dev_alloc_skb(ppp->mru + PPP_HDRLEN + 256);
 		if (ns == 0) {
 			printk(KERN_ERR "ppp_decompress_frame: no
memory\n");
 			goto err;
 		}
 		/* the decompressor still expects the A/C bytes in the
hdr */
 		len = ppp->rcomp->decompress(ppp->rc_state, skb->data -
2,
-				skb->len + 2, ns->data, ppp->mru +
PPP_HDRLEN);
+				skb->len + 2, ns->data, ppp->mru +
PPP_HDRLEN + 256);
 		if (len < 0) {
 			/* Pass the compressed frame to pppd as an
 			   error indication. */
--- drivers/net/ppp_mppe.c.prefix	Sun Mar 24 14:54:51 2002
+++ drivers/net/ppp_mppe.c	Sun Mar 24 14:56:25 2002
@@ -530,6 +530,15 @@
 	return DECOMP_ERROR;
     }
 
+    if (osize < isize - MPPE_OVHD) {
+	if (state->debug) {
+	    printk(KERN_DEBUG "mppe_decompress%d: long packet
(len=%d)\n",
+		state->unit, isize);
+	}
+
+	return DECOMP_ERROR;
+    }
+
     /* Check the sequence number. */
     seq = MPPE_CCOUNT_FROM_PACKET(ibuf);

More information about the pptp-server mailing list