netbsd-bugs: kern/8446: if_ppp.c, no way to dump packet from compressor

Subject: kern/8446: if_ppp.c, no way to dump packet from compressor
To: None <gnats-bugs@gnats.netbsd.org>
From: None <dbj@netbsd.org>
List: netbsd-bugs
Date: 09/19/1999 04:27:01

>Number:         8446
>Category:       kern
>Synopsis:       if_ppp.c, no way to dump packet from compressor
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    kern-bug-people (Kernel Bug People)
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Sun Sep 19 04:20:00 1999
>Last-Modified:
>Originator:     Darrin B. Jewell
>Organization:
>Release:        -current last updated around 19990917T0533Z
>Environment:
	
System: NetBSD dbj.ne.mediaone.net 1.4.1 NetBSD 1.4.1 (ROCINANTE) #0: Wed Aug 18 04:09:19 EDT 1999 dbj@dbj.ne.mediaone.net:/usr/obj.i386/ROCINANTE i386

>Description:
        There is no way for a ppp compression module to dump an
outgoing packet.  If the compression module fails to compress (due to
resource depletion, for example), the original uncompressed packet
will be sent out the wire.  This creates a security problem when
attempting to use the compress/decompress hooks to add an encryption
module to ppp.

>How-To-Repeat:
	
>Fix:

This patch will dump the outgoing packet if the compression function
returns a length less than zero.

Please comment.  If i receive no objections after a post to tech-net,
I will commit.  Also, would this change need to be reviewed/submitted
to upstream ppp maintainers?

Darrin

Index: if_ppp.c
===================================================================
RCS file: /cvsroot/syssrc/sys/net/if_ppp.c,v
retrieving revision 1.55
diff -u -r1.55 if_ppp.c
--- if_ppp.c	1999/07/30 10:35:38	1.55
+++ if_ppp.c	1999/09/19 10:56:48
@@ -977,6 +977,7 @@
     int address, control, protocol;
     int s;
 
+ again:
     /*
      * Grab a packet to send: first try the fast queue, then the
      * normal queue.
@@ -1059,6 +1060,11 @@
 	    slen += mp->m_len;
 	clen = (*sc->sc_xcomp->compress)
 	    (sc->sc_xc_state, &mcomp, m, slen, sc->sc_if.if_mtu + PPP_HDRLEN);
+	if (clen < 0) {
+		m_freem(m);
+		m_freem(mcomp);
+		goto again;
+	}
 	if (mcomp != NULL) {
 	    if (sc->sc_flags & SC_CCP_UP) {
 		/* Send the compressed packet instead of the original. */

	
>Audit-Trail:
>Unformatted: