rc_mksid converts the PID of pppd to hex to generate a pseudo-unique string.
If the process id is bigger than 65535 (FFFF), its hex representation will be
longer than 4 characters, resulting in a buffer overflow.
The bug can be exploited to cause a remote DoS.
Bug-Debian: https://bugs.debian.org/782450
Last-Update: <2015-04-14>
Gbp-Pq: Name rc_mksid-no-buffer-overflow
The udeb package does not have crypt(3).
This patch makes authentication always fail, since it is not needed anyway
for dialout.
Gbp-Pq: Name no_crypt_hack
This fixes the following compile-time warning when building with
-D_FORTIFY_SOURCE=2:
In file included from /usr/include/string.h:638:0,
from ./includes.h:26,
from clientid.c:12:
In function 'strncat',
inlined from 'rc_map2id' at clientid.c:113:9:
/usr/include/i386-linux-gnu/bits/string3.h:150:3: warning: call to
__builtin___strncat_chk might overflow destination buffer [enabled by default]
return __builtin___strncat_chk (__dest, __src, __len, __bos (__dest));
^
Origin: vendor, https://build.opensuse.org/source/network/ppp/ppp-2.4.4-strncatfix.patch?rev=7a0fdeff0b29437dd7f4581c95c7255a
Forwarded: no
Reviewed-by: Chris Boot <bootc@debian.org>
Last-Update: 2014-01-12
Gbp-Pq: Name ppp-2.4.4-strncatfix.patch
add support for the Framed-MTU Radius attribute
http://ppp.samba.org/cgi-bin/ppp-bugs/incoming?id=1532
From: klepikov_a@up.ua
To: ppp-bugs@ppp.samba.org
Subject: Radius plugin does not set MTU on ppp interface
Date: Mon, 22 Jan 2007 12:36:59 +0000 (GMT)
Full_Name: Alexander Klepikov
Version: 2.4.3
OS: rhl 7.3 (2.4.20-28.7bigmem)
Submission from: (NULL) (213.130.21.73)
This patch allows radius plugin to deal with Framed-MTU Radius attribute and to
set MTU on interface.
Gbp-Pq: Name radius_mtu
Adds an option to pppd to control whether to replace existing default routes
when using the 'defaultroute' option.
If defaultroute and replacedefaultroute are both set, pppd replaces an existing
default route with the new default route. The old default route is restored when
the connection is taken down.
Origin: vendor, https://build.opensuse.org/source/network/ppp/ppp-2.4.2-cifdefroute.diff?rev=7a0fdeff0b29437dd7f4581c95c7255a
Forwarded: no
Reviewed-by: Chris Boot <bootc@debian.org>
Last-Update: 2014-01-26
Gbp-Pq: Name cifdefroute.dif
Add pppoe 'host-uniq' option to set an arbitrary
host-uniq tag instead of the pppd pid.
Some ISPs use such tag to authenticate the CPE,
so it must be set to a proper value to connect.
Signed-off-by: Matteo Croce <matteo@openwrt.org>
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Gbp-Pq: Name pr-28-pppoe-custom-host-uniq-tag.patch
disable unneeded code in the pppoatm plugin
This patch halves the size of the PPPoA plugin by disabling features
which are never used with normal DSL connections (i.e. parsing of QoS
configuration directives and DNS resolution of VP/VC addresses).
It is especially useful for install images and embedded systems.
A next step could be removing text2qos.c, text2atm.c, misc.c and ans.c
and encourage users interested in the complete features to link the
plugin with the real libatm. I really doubt anybody cares, anyway.
Gbp-Pq: Name pppoatm_resolver_light
make sure that the linkpidfile is always created
Subject: Bug#284382: ppp: linkpidfile is not created upon detachment
From: <herbert@gondor.apana.org.au>
Package: ppp
Version: 2.4.2+20040428-2
Severity: wishlist
When pppd detaches from the parent normally, that is, without nodetach
or updetach set, the linkpidfile is not created even when linkname is
set.
This is because the create_linkpidfile call in detach() is only made
if the linkpidfile is filled in. However, linkpidfile is never filled
in until create_linkpidfile has been called.
IMHO the call should be made uncondtionally in detach() since
create_linkpidfile does its own check on linkname anyway.
Please note that the version of pppd in woody always wrote the
linkpidfile after detaching. It did so in main() however. That
call has now been removed which is why I'm seeing this problem.
[...]
--
Gbp-Pq: Name fix_linkpidfile
be sure to close /dev/ppp when reconnecting
From: Simon Peter <dn.tlp@gmx.net>
Subject: Bug#306261: pppd does not properly close /dev/ppp on persist
When using the kernel PPPoE driver, pppd never
closes /dev/ppp when the link has come down.
It opens superfluous fds to the device each time it re-opens the
connection, with the unclosed ones falsely reported always ready for
data by select().
This makes pppd eat up 100% CPU time after the first persist because of
the always instantly returning select() on the unclosed fds.
The problem also occurs with the upstream version, but does not occur
when a pty/tty device is used for the ppp connection.
Gbp-Pq: Name close_dev_ppp
Makefiles cleanup
Factor-out $COPTS and $LDOPTS to allow distributions to easily override
them. Properly use $LDFLAGS when linking and $CFLAGS when compiling.
Do not strip the installed binaries: this should be done by the
packaging system if required.
Gbp-Pq: Name makefiles_cleanup
This fixes builds with newer kernels. Basically, <netinet/in.h> needs to be
included before <linux/in.h> otherwise the earlier, unaware of the latter,
tries to redefine symbols and structures. Also, <linux/if_pppox.h> doesn't work
alone anymore, since it pulls the headers in the wrong order, so we better
include <netinet/in.h> early.
Gbp-Pq: Name 0016-pppoe-include-netinet-in.h-before-linux-in.h.patch
The pppoe-discovery program calls error() from the CHECK_ROOM macro
defined in pppoe.h. Since pppoe-discovery is a standalone program not
linked with the rest of pppd, the only way this could build is by
linking to glibc's proprietary error(3) function instead of the function
of the same name (but with different arguments) defined in pppd/utils.c.
So with glibc this builds, but will probably crash when the assertion is
triggered. As the assertion is unlikely to fail, nobody has noticed.
The build however fails with musl libc or uClibc since they don't
provide the doppelganger.
Signed-off-by: Stefan Nickl <Stefan.Nickl@gmail.com>
Gbp-Pq: Name 0015-pppd-Provide-error-implementation-in-pppoe-discovery.patch
This is a modified version of a patch from openSUSE that enables PPP interfaces
to be called arbitrary names, rather than simply pppX where X is the unit
number.
The modifications from the stock openSUSE patch are:
- refresh patch on top of 018_ip-up_option.diff
- fix a printf format-string vulnerability in pppd/main.c:set_ifunit()
- clarify the pppd.8 manpage additions
- patch pppstats/pppstats.c to query renamed interfaces without complaint
Origin: SUSE
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=458646
Forwarded: no
Reviewed-by: Chris Boot <bootc@debian.org>
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
Gbp-Pq: Name 0013-pppd-allow-use-of-arbitrary-interface-names.patch
According to POSIX, the canonical location for errno.h is on the top level.
Signed-off-by: Stefan Nickl <Stefan.Nickl@gmail.com>
Gbp-Pq: Name 0012-Change-include-from-sys-errno.h-to-errno.h.patch
This fixes a bug where ccp_cilen() will return 4 bytes less than
necessary for the addci buffer if both deflate_correct and
deflate_draft are enabled.
Signed-off-by: Sylvain Rochet <gradator@gradator.net>
Signed-off-by: Paul Mackerras <paulus@samba.org>
Gbp-Pq: Name 0009-pppd-Fix-ccp_cilen-calculated-size-if-both-deflate_c.patch
This corrects the type of ccp_options.mppe; it is actually a bitfield of
MPPE_OPT_* and not a boolean.
Signed-off-by: Sylvain Rochet <gradator@gradator.net>
Signed-off-by: Paul Mackerras <paulus@samba.org>
Gbp-Pq: Name 0008-pppd-Fix-ccp_options.mppe-type.patch
This fixes an if condition to prevent a possible 1-byte overrun
on ipxcp_hisoptions[0].name.
Reported-by: "Sabas Rosales, Blanca E" <blanca.e.sabas.rosales@intel.com>
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
Gbp-Pq: Name 0007-pppd-ipxcp-Prevent-buffer-overrun-on-remote-router-n.patch
Once we've terminated the PPP session, there is no chance of a PPP layer
disconnect. Some PPPoE relays don't detect the PPP session going down, and
depend on a long timeout or a PPPoE PADT to terminate the session.
Send a PADT on disconnect to work around these buggy relays.
Signed-off-by: Simon Farnsworth <simon@farnz.org.uk>
Gbp-Pq: Name 0006-Send-PADT-on-PPPoE-disconnect.patch
Once the kernel handles PPPoE PADTs correctly[1], a PADT triggered
disconnect will result in EALREADY when pppd tries to clear the session ID.
Simply ignore the error if, and only if, the error is EALREADY
[1] https://patchwork.ozlabs.org/patch/444717/
Signed-off-by: Simon Farnsworth <simon@farnz.org.uk>
Gbp-Pq: Name 0005-Suppress-false-error-message-on-PPPoE-disconnect.patch
print_string() displays characters as \\%.03o but without first
casting it from "char" to "unsigned char" so it gets sign-extended
to an int. This causes output like \37777777630 instead of \230.
Signed-off-by: Philip A. Prindeville <philipp@redfish-solutions.com>
Gbp-Pq: Name 0004-pppd-Fix-sign-extension-when-displaying-bytes-in-oct.patch
poff could kill other pppd processes when there are many pppd
running on different serial port.
Signed-off-by: Ming Dai <radaiming@gmail.com>
Gbp-Pq: Name 0003-scripts-Avoid-killing-wrong-pppd.patch
The current recursive loops do not check the exit status of make
in subdirs which leads to `make` passing even when a subdir failed
to compile or install.
URL: https://bugs.gentoo.org/334727
Signed-off-by: Martin von Gagern <Martin.vGagern@gmx.net>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Gbp-Pq: Name 0001-abort-on-errors-in-subdir-builds.patch
Emanuele Rocca