On Fri, 2006-09-01 at 01:13 +0200, Eric Sesterhenn wrote:
> --- linux-2.6.18-rc5/drivers/net/wan/syncppp.c.orig 2006-09-01 00:55:08.000000000 +0200
> +++ linux-2.6.18-rc5/drivers/net/wan/syncppp.c 2006-09-01 00:55:45.000000000 +0200
> @@ -505,14 +505,15 @@ static void sppp_lcp_input (struct sppp
> skb->len, h);
> break;
> case LCP_CONF_REQ:
> - if (len < 4) {
> + if (len <= 4) {
> if (sp->pp_flags & PP_DEBUG)
> printk (KERN_DEBUG"%s: invalid lcp configure request packet length: %d bytes\n",
> dev->name, len);
> break;
> }
> - if (len>4 && !sppp_lcp_conf_parse_options (sp, h, len, &rmagic))
> + if (!sppp_lcp_conf_parse_options (sp, h, len, &rmagic))
> goto badreq;
> +
> if (rmagic == sp->lcp.magic) {
> /* Local and remote magics equal -- loopback? */
> if (sp->pp_loopcnt >= MAXALIVECNT*5) {
This is not correct.
>From RFC1661:
Valid LCP configuration requests can have zero options (len == 4).
If the magic number option is not included in the LCP CFG REQ,
then the magic number should be treated as zero.
The correct fix is to initialize rmagic to zero before
the if (len>4 && !sppp_lcp_conf_parse_options()) line.
--
Paul
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]
