Re: query on a pppol2tp_recvmsg() fix - security relevant?

[Jan Lieskovsky <jlieskov () redhat com>]

Hello guys,

  the fix as mentioned at:

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=6b6707a50c7598a83820077393f8823ab791abf8;hp=2e761e0532a784816e7e822dbaaece8c5d4be14d


is reasonable. Have investigated this issue in a little deep
detail. Seems it could be a problem in case when the targeted
host would run / have created the L2TP tunnel, would support
the Point to Point protocol with the L2TP plugin enabled
and then local, unprivileged user could potentially
issue an PPP command / request with too long L2TP packet
to force kernel heap corruption (DoS). But as there 
is no testcase / exploit available till now I am aware
of, this all is only a presumption. If this would
be a real problem, than hopefully only with low severity
(due the special conditions / requirements that need
to be satisfied to trigger this issue).

Kind regards
Jan iankko Lieskovsky
RH kernel Security Response Team


On Wed, 2008-06-18 at 19:41 +0300, Eren Türkay wrote:
> On 18 Jun 2008 Wed 19:18:40 Marcus Meissner wrote:
> > A customer asks us if the following is a security problem:
>
> Secunia issued an advisory for that issue. It seems that it's a security 
> problem, but I'm not sure :)
>
> http://secunia.com/advisories/30719/