The advisory did not explain what was the cause of the problem. (Rant: Why? Will the following explanation help anyone who would not be able to find out this piece of information himself to abuse the bug?) As far as I can tell, the problem is this: anyone, including mere mortals, is allowed to use TIOCSETD. Therefore anyone can set PPP line discipline on a tty under his control and sent forged datagrams right into the kernel network subsystem. I do not believe there is any reason why mortals should ever be allowed to use TIOCSETD (at least under Linux), therefore adding something like "if (!suser()) return -EPERM;" under "case TIOCSETD:" in drivers/char/ tty_io.c should fix the problem for 2.0 (things are a bit more complicated in 2.2 but we've already got a fix for 2.2). But remember: you use it at your own risk, there is no guarantee this patch will not kill all your family when used improperly. --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation."
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:08:35 PDT