From 88aa92b454e211457d0b2ac5a6db76811e1840e3 Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@fedoraproject.org>
Date: Tue, 2 Nov 2004 14:55:59 +0000
Subject: [PATCH] [tw] - fixed out of bounds memory access, possible DOS

---
 ppp-2.4.1-pkgcheck.patch | 142 +++++++++++++++++++++++++++++++++++++++
 ppp.spec                 |   7 +-
 2 files changed, 148 insertions(+), 1 deletion(-)
 create mode 100644 ppp-2.4.1-pkgcheck.patch

diff --git a/ppp-2.4.1-pkgcheck.patch b/ppp-2.4.1-pkgcheck.patch
new file mode 100644
index 0000000..c2b185b
--- /dev/null
+++ b/ppp-2.4.1-pkgcheck.patch
@@ -0,0 +1,142 @@
+--- ppp-2.4.1/pppd/cbcp.c.pkgcheck	2004-11-02 14:19:23.000000000 +0100
++++ ppp-2.4.1/pppd/cbcp.c	2004-11-02 15:04:06.000000000 +0100
+@@ -150,7 +150,8 @@
+     inp = inpacket;
+ 
+     if (pktlen < CBCP_MINLEN) {
+-        error("CBCP packet is too small");
++        if (debug)
++	    dbglog("CBCP packet is too small");
+ 	return;
+     }
+ 
+@@ -158,12 +159,11 @@
+     GETCHAR(id, inp);
+     GETSHORT(len, inp);
+ 
+-#if 0
+-    if (len > pktlen) {
+-        error("CBCP packet: invalid length");
++    if (len > pktlen || len < CBCP_MINLEN) {
++        if (debug)
++	    dbglog("CBCP packet: invalid length %d", len);
+         return;
+     }
+-#endif
+ 
+     len -= CBCP_MINLEN;
+  
+@@ -174,11 +174,12 @@
+ 	break;
+ 
+     case CBCP_RESP:
+-	dbglog("CBCP_RESP received");
++        if (debug)
++	    dbglog("CBCP_RESP received");
+ 	break;
+ 
+     case CBCP_ACK:
+-	if (id != us->us_id)
++	if (debug && id != us->us_id)
+ 	    dbglog("id doesn't match: expected %d recv %d",
+ 		   us->us_id, id);
+ 
+@@ -297,11 +298,13 @@
+ 
+     address[0] = 0;
+ 
+-    while (len) {
++    while (len >= 2) {
+         dbglog("length: %d", len);
+ 
+ 	GETCHAR(type, pckt);
+ 	GETCHAR(opt_len, pckt);
++	if (opt_len < 2 || opt_len > len)
++	    break;
+ 
+ 	if (opt_len > 2)
+ 	    GETCHAR(delay, pckt);
+@@ -333,6 +336,11 @@
+ 	}
+ 	len -= opt_len;
+     }
++    if (len != 0) {
++	if (debug)
++	    dbglog("cbcp_recvreq: malformed packet (%d bytes left)", len);
++	return;
++    }
+ 
+     cbcp_resp(us);
+ }
+@@ -345,6 +353,7 @@
+     u_char buf[256];
+     u_char *bufp = buf;
+     int len = 0;
++    int slen;
+ 
+     cb_type = us->us_allowed & us->us_type;
+     dbglog("cbcp_resp cb_type=%d", cb_type);
+@@ -356,12 +365,17 @@
+ 
+     if (cb_type & ( 1 << CB_CONF_USER ) ) {
+ 	dbglog("cbcp_resp CONF_USER");
++	slen = strlen(us->us_number);
++	if (slen > 250) {
++	    warn("callback number truncated to 250 characters");
++	    slen = 250;
++	}
+ 	PUTCHAR(CB_CONF_USER, bufp);
+-	len = 3 + 1 + strlen(us->us_number) + 1;
++	len = 3 + 1 + slen + 1;
+ 	PUTCHAR(len , bufp);
+ 	PUTCHAR(5, bufp); /* delay */
+ 	PUTCHAR(1, bufp);
+-	BCOPY(us->us_number, bufp, strlen(us->us_number) + 1);
++	BCOPY(us->us_number, bufp, slen + 1);
+ 	cbcp_send(us, CBCP_RESP, buf, len);
+ 	return;
+     }
+@@ -424,25 +438,29 @@
+     int opt_len;
+     char address[256];
+ 
+-    if (len) {
++    if (len >= 2) {
+         GETCHAR(type, pckt);
+ 	GETCHAR(opt_len, pckt);
+      
+-	if (opt_len > 2)
+-	    GETCHAR(delay, pckt);
++	if (opt_len >= 2 && opt_len <= len) {
++	    if (opt_len > 2)
++		GETCHAR(delay, pckt);
+ 
+-	if (opt_len > 4) {
+-	    GETCHAR(addr_type, pckt);
+-	    memcpy(address, pckt, opt_len - 4);
+-	    address[opt_len - 4] = 0;
+-	    if (address[0])
+-	        dbglog("peer will call: %s", address);
+-	}
+-	if (type == CB_CONF_NO)
+-	    return;
+-    }
++	    if (opt_len > 4) {
++		GETCHAR(addr_type, pckt);
++		memcpy(address, pckt, opt_len - 4);
++		address[opt_len - 4] = 0;
++		if (address[0])
++		    dbglog("peer will call: %s", address);
++	    }
++	    if (type == CB_CONF_NO)
++		return;
+ 
+-    cbcp_up(us);
++	    cbcp_up(us);
++
++	} else if (debug)
++	    dbglog("cbcp_recvack: malformed packet");
++    }
+ }
+ 
+ /* ok peer will do callback */
diff --git a/ppp.spec b/ppp.spec
index a04483d..65121b3 100644
--- a/ppp.spec
+++ b/ppp.spec
@@ -1,7 +1,7 @@
 Summary: The PPP (Point-to-Point Protocol) daemon.
 Name: ppp
 Version: 2.4.2
-Release: 6.3
+Release: 7
 License: distributable
 Group: System Environment/Daemons
 Source0: ftp://ftp.samba.org/pub/ppp/ppp-%{version}.tar.gz
@@ -25,6 +25,7 @@ Patch14: ppp-2.4.2-argv.patch
 Patch15: ppp-2.4.2-pppoatm.patch
 Patch16: ppp-2.4.2-pppoatm-mtu.patch
 Patch17: ppp-2.4.2-pppoatm-make.patch
+Patch18: ppp-2.4.1-pkgcheck.patch
 
 BuildRoot: %{_tmppath}/%{name}-root
 BuildPrereq: pam-devel, libpcap
@@ -59,6 +60,7 @@ organization over a modem and phone line.
 %patch15 -p1 -b .atm
 %patch16 -p1 -b .atm-mtu
 %patch17 -p1 -b .atm-make
+%patch18 -p1 -b .pkgcheck
 
 
 find . -type f -name "*.sample" | xargs rm -f 
@@ -117,6 +119,9 @@ rm -rf $RPM_BUILD_ROOT
 
 
 %changelog
+* Tue Nov  2 2004 Thomas Woerner <twoerner@redhat.com> 2.4.2-7
+- fixed out of bounds memory access, possible DOS
+
 * Thu Oct  7 2004 David Woodhouse <dwmw2@redhat.com> 2.4.2-6.3
 - Fix use of 'demand' without explicit MTU/MRU with pppoatm