Re: [stable] Re: [patch 6/6] [NETFILTER]: Fix another crash in ip_nat_pptp (CVE-2006-0037)

[Harald Welte <laforge@netfilter.org>]

On Thu, Feb 09, 2006 at 09:08:19PM -0800, Greg KH wrote:
> On Thu, Feb 09, 2006 at 08:57:29PM -0800, Andrew Morton wrote:
> > Greg KH <greg@kroah.com> wrote:
> > >
> > > On Wed, Feb 08, 2006 at 01:35:41PM +0100, Holger Eitzenberger wrote:
> > > > On Fri, Jan 27, 2006 at 06:18:35PM -0800, Greg KH wrote:
> > > > 
> > > > >  	DEBUGP("altering call id from 0x%04x to 0x%04x\n",
> > > > > -		ntohs(*cid), ntohs(new_callid));
> > > > > +		ntohs(*(u_int16_t *)pptpReq + cid_off), ntohs(new_callid));
> > > > 
> > > > Note that this fix introduces another bug in the above use DEBUGP
> > > > statement, as there is (u_int16_t *) ptr arithmetic used, whereas
> > > > cid_off is a byte offset.
> > > > 
> > > > A fix for that was send a few weeks ago on netfilter-devel.
> > > 
> > > Great, care to forward it to stable@kernel.org so we can get it in the
> > > next release?
> > > 
> > 
> > I have a copy of the patch and I'll cc stable@ on it.  Although afaik this
> > bug just causes wrong debug info to come out, so I don't think it's
> > terribly important (?)
> 
> If that's the only problem with it, no it's not worth adding to -stable.

Yes, this patch only fixes code in DEBUG statements.  Debug can only be
enabled at compile time, so I agree it's not a candidate for -stable.

-- 
- Harald Welte <laforge@netfilter.org>                 http://netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

Attachment: pgpfWowaAf0yX.pgp
Description: PGP signature