diff options
Diffstat (limited to 'yocto-poky/meta/recipes-connectivity/ppp/ppp/fix-CVE-2015-3310.patch')
-rw-r--r-- | yocto-poky/meta/recipes-connectivity/ppp/ppp/fix-CVE-2015-3310.patch | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/yocto-poky/meta/recipes-connectivity/ppp/ppp/fix-CVE-2015-3310.patch b/yocto-poky/meta/recipes-connectivity/ppp/ppp/fix-CVE-2015-3310.patch new file mode 100644 index 000000000..c9edb3059 --- /dev/null +++ b/yocto-poky/meta/recipes-connectivity/ppp/ppp/fix-CVE-2015-3310.patch @@ -0,0 +1,29 @@ +ppp: Buffer overflow in radius plugin + +From: https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;bug=782450 + +Upstream-Status: Backport + +On systems with more than 65535 processes running, pppd aborts when +sending a "start" accounting message to the RADIUS server because of a +buffer overflow in rc_mksid. + +The process id is used in rc_mksid to generate a pseudo-unique string, +assuming that the hex representation of the pid will be at most 4 +characters (FFFF). __sprintf_chk(), used when compiling with +optimization levels greater than 0 and FORTIFY_SOURCE, detects the +buffer overflow and makes pppd crash. + +The following patch fixes the problem. + +--- ppp-2.4.6.orig/pppd/plugins/radius/util.c ++++ ppp-2.4.6/pppd/plugins/radius/util.c +@@ -77,7 +77,7 @@ rc_mksid (void) + static unsigned short int cnt = 0; + sprintf (buf, "%08lX%04X%02hX", + (unsigned long int) time (NULL), +- (unsigned int) getpid (), ++ (unsigned int) getpid () % 65535, + cnt & 0xFF); + cnt++; + return buf; |