lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1157067913.2634.3.camel@localhost.localdomain>
Date:	Thu, 31 Aug 2006 18:45:13 -0500
From:	Paul Fulghum <paulkf@...rogate.com>
To:	Eric Sesterhenn <snakebyte@....de>
Cc:	linux-kernel@...r.kernel.org
Subject: Re: [Patch] Uninitialized variable in drivers/net/wan/syncppp.c

On Fri, 2006-09-01 at 01:13 +0200, Eric Sesterhenn wrote:

> --- linux-2.6.18-rc5/drivers/net/wan/syncppp.c.orig	2006-09-01 00:55:08.000000000 +0200
> +++ linux-2.6.18-rc5/drivers/net/wan/syncppp.c	2006-09-01 00:55:45.000000000 +0200
> @@ -505,14 +505,15 @@ static void sppp_lcp_input (struct sppp 
>  			skb->len, h);
>  		break;
>  	case LCP_CONF_REQ:
> -		if (len < 4) {
> +		if (len <= 4) {
>  			if (sp->pp_flags & PP_DEBUG)
>  				printk (KERN_DEBUG"%s: invalid lcp configure request packet length: %d bytes\n",
>  					dev->name, len);
>  			break;
>  		}
> -		if (len>4 && !sppp_lcp_conf_parse_options (sp, h, len, &rmagic))
> +		if (!sppp_lcp_conf_parse_options (sp, h, len, &rmagic))
>  			goto badreq;
> +
>  		if (rmagic == sp->lcp.magic) {
>  			/* Local and remote magics equal -- loopback? */
>  			if (sp->pp_loopcnt >= MAXALIVECNT*5) {

This is not correct.

>>From RFC1661:
Valid LCP configuration requests can have zero options (len == 4).
If the magic number option is not included in the LCP CFG REQ,
then the magic number should be treated as zero.

The correct fix is to initialize rmagic to zero before
the if (len>4 && !sppp_lcp_conf_parse_options()) line.

--
Paul


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ