Package: ppp
Version: 2.4.6-3
Severity: important
Tags: patch
On systems with more than 65535 processes running, pppd aborts when
sending a "start" accounting message to the RADIUS server because of a
buffer overflow in rc_mksid.
The process id is used in rc_mksid to generate a pseudo-unique string,
assuming that the hex representation of the pid will be at most 4
characters (FFFF). __sprintf_chk(), used when compiling with
optimization levels greater than 0 and FORTIFY_SOURCE, detects the
buffer overflow and makes pppd crash.
The following patch fixes the problem.
--- ppp-2.4.6.orig/pppd/plugins/radius/util.c
+++ ppp-2.4.6/pppd/plugins/radius/util.c
@@ -77,7 +77,7 @@ rc_mksid (void)
static unsigned short int cnt = 0;
sprintf (buf, "%08lX%04X%02hX",
(unsigned long int) time (NULL),
- (unsigned int) getpid (),
+ (unsigned int) getpid () % 65535,
cnt & 0xFF);
cnt++;
return buf;
-- System Information:
Debian Release: 8.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages ppp depends on:
ii init-system-helpers 1.22
ii libc6 2.19-17
ii libpam-modules 1.1.8-3.1
ii libpam-runtime 1.1.8-3.1
ii libpam0g 1.1.8-3.1
ii libpcap0.8 1.6.2-2
ii procps 2:3.3.9-9
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
