[pptp-server] Kernel oops with 2.4.18 + mppe -- patch included

Joey Coco anesthes at cisdi.com
Sun Mar 24 15:49:20 CST 2002 

Hi,

Odd. My distro has standardized on 2.4.17 for a while now and not had this
problem. Perhaps its unique to 2.4.18. 

-- Joe


On Sun, 24 Mar 2002, Thorvald Natvig wrote:

> Hi,
> 
> I recently upgraded from 2.2.19 to 2.4.18 for our main VPN server. I
> downloaded the stock 2.4.18 kernel and applied the mppe-openssl patch
> for 2.4.16 I found on http://mirror.binarix.com
> 
> Unfortunately, this combination has a crash bug. The remote end client
> will occationally send packets that are larger than the MRU. The mppe
> decompressor doesn't check the size of it's output buffer... This
> results in it both overwriting a few buffers and returning a
> decompressed length longer than 'osize', which makes the skb_put call in
> ppp_generic:decompress_frame produce an kernel oops.
> 
> I haven't had time to properly investigate the problem, but I noticed
> that 2.2.19 allocates a few bytes extra for it's decompression buffer,
> so I just copied that trick and added a quick and dirty osize check to
> the mppe module.
> 
> If someone else has already fixed this and made a more proper patch,
> please let me know ;)
> 
> Patch:
> 
> --- drivers/net/ppp_generic.c.prefix	Sun Mar 24 15:31:44 2002
> +++ drivers/net/ppp_generic.c	Sun Mar 24 14:57:12 2002
> @@ -1519,14 +1519,14 @@
>  	int len;
>  
>  	if (proto == PPP_COMP) {
> -		ns = dev_alloc_skb(ppp->mru + PPP_HDRLEN);
> +		ns = dev_alloc_skb(ppp->mru + PPP_HDRLEN + 256);
>  		if (ns == 0) {
>  			printk(KERN_ERR "ppp_decompress_frame: no
> memory\n");
>  			goto err;
>  		}
>  		/* the decompressor still expects the A/C bytes in the
> hdr */
>  		len = ppp->rcomp->decompress(ppp->rc_state, skb->data -
> 2,
> -				skb->len + 2, ns->data, ppp->mru +
> PPP_HDRLEN);
> +				skb->len + 2, ns->data, ppp->mru +
> PPP_HDRLEN + 256);
>  		if (len < 0) {
>  			/* Pass the compressed frame to pppd as an
>  			   error indication. */
> --- drivers/net/ppp_mppe.c.prefix	Sun Mar 24 14:54:51 2002
> +++ drivers/net/ppp_mppe.c	Sun Mar 24 14:56:25 2002
> @@ -530,6 +530,15 @@
>  	return DECOMP_ERROR;
>      }
>  
> +    if (osize < isize - MPPE_OVHD) {
> +	if (state->debug) {
> +	    printk(KERN_DEBUG "mppe_decompress%d: long packet
> (len=%d)\n",
> +		state->unit, isize);
> +	}
> +
> +	return DECOMP_ERROR;
> +    }
> +
>      /* Check the sequence number. */
>      seq = MPPE_CCOUNT_FROM_PACKET(ibuf);
>  
> 
> _______________________________________________
> pptp-server maillist  -  pptp-server at lists.schulte.org
> http://lists.schulte.org/mailman/listinfo/pptp-server
> --- To unsubscribe, go to the url just above this line. --
>

More information about the pptp-server mailing list