[pptp-server] Kernel oops with 2.4.18 + mppe -- patch included
Joey Coco
anesthes at cisdi.com
Sun Mar 24 15:49:20 CST 2002
Hi,
Odd. My distro has standardized on 2.4.17 for a while now and not had this
problem. Perhaps its unique to 2.4.18.
-- Joe
On Sun, 24 Mar 2002, Thorvald Natvig wrote:
> Hi,
>
> I recently upgraded from 2.2.19 to 2.4.18 for our main VPN server. I
> downloaded the stock 2.4.18 kernel and applied the mppe-openssl patch
> for 2.4.16 I found on http://mirror.binarix.com
>
> Unfortunately, this combination has a crash bug. The remote end client
> will occationally send packets that are larger than the MRU. The mppe
> decompressor doesn't check the size of it's output buffer... This
> results in it both overwriting a few buffers and returning a
> decompressed length longer than 'osize', which makes the skb_put call in
> ppp_generic:decompress_frame produce an kernel oops.
>
> I haven't had time to properly investigate the problem, but I noticed
> that 2.2.19 allocates a few bytes extra for it's decompression buffer,
> so I just copied that trick and added a quick and dirty osize check to
> the mppe module.
>
> If someone else has already fixed this and made a more proper patch,
> please let me know ;)
>
> Patch:
>
> --- drivers/net/ppp_generic.c.prefix Sun Mar 24 15:31:44 2002
> +++ drivers/net/ppp_generic.c Sun Mar 24 14:57:12 2002
> @@ -1519,14 +1519,14 @@
> int len;
>
> if (proto == PPP_COMP) {
> - ns = dev_alloc_skb(ppp->mru + PPP_HDRLEN);
> + ns = dev_alloc_skb(ppp->mru + PPP_HDRLEN + 256);
> if (ns == 0) {
> printk(KERN_ERR "ppp_decompress_frame: no
> memory\n");
> goto err;
> }
> /* the decompressor still expects the A/C bytes in the
> hdr */
> len = ppp->rcomp->decompress(ppp->rc_state, skb->data -
> 2,
> - skb->len + 2, ns->data, ppp->mru +
> PPP_HDRLEN);
> + skb->len + 2, ns->data, ppp->mru +
> PPP_HDRLEN + 256);
> if (len < 0) {
> /* Pass the compressed frame to pppd as an
> error indication. */
> --- drivers/net/ppp_mppe.c.prefix Sun Mar 24 14:54:51 2002
> +++ drivers/net/ppp_mppe.c Sun Mar 24 14:56:25 2002
> @@ -530,6 +530,15 @@
> return DECOMP_ERROR;
> }
>
> + if (osize < isize - MPPE_OVHD) {
> + if (state->debug) {
> + printk(KERN_DEBUG "mppe_decompress%d: long packet
> (len=%d)\n",
> + state->unit, isize);
> + }
> +
> + return DECOMP_ERROR;
> + }
> +
> /* Check the sequence number. */
> seq = MPPE_CCOUNT_FROM_PACKET(ibuf);
>
>
> _______________________________________________
> pptp-server maillist - pptp-server at lists.schulte.org
> http://lists.schulte.org/mailman/listinfo/pptp-server
> --- To unsubscribe, go to the url just above this line. --
>
More information about the pptp-server
mailing list