Description
In the Linux kernel, the following vulnerability has been resolved: pppoe: drop PFC frames RFC 2516 Section 7 states that Protocol Field Compression (PFC) is NOT RECOMMENDED for PPPoE. In practice, pppd does not support negotiating PFC for PPPoE sessions, and the current PPPoE driver assumes an uncompressed (2-byte) protocol field. However, the generic PPP layer function ppp_input() is not aware of the negotiation result, and still accepts PFC frames. If a peer with a broken implementation or an attacker sends a frame with a compressed (1-byte) protocol field, the subsequent PPP payload is shifted by one byte. This causes the network header to be 4-byte misaligned, which may trigger unaligned access exceptions on some architectures. To reduce the attack surface, drop PPPoE PFC frames. Introduce ppp_skb_is_compressed_proto() helper function to be used in both ppp_generic.c and pppoe.c to avoid open-coding.
CVSS breakdown
Affected products
- Linux / Linux7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6 – cb3beef35ab5e0c1afca9fd7648c6ae499786377
- Linux / Linux7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6 – ba758fdf1399f310b30098b6faa3fd043de47dd2
- Linux / Linux7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6 – fcca1df05322bb04e344dd1178b54b76a08eb7c3
- Linux / Linux7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6 – 8a5e840babc5c0fbd10c73728a13192347771ec6
- Linux / Linux7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6 – 49e41b60ccd1bdbe9e218420f716dd5f9a2f9c71
- Linux / Linux7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6 – 0cab5d077dd1efd2bd1a47271acc35894f945b4f
- Linux / Linux7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6 – 2b5c3c040d020e3ab3b9a8887031202d96843b1e
- Linux / Linux7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6 – cc1ff87bce1ccd38410ab10960f576dcd17db679
- Linux / Linux5.0 – 5.0
- Linux / Linux0 – 5.0
- Linux / Linux5.10.258 – 5.10.*
- Linux / Linux5.15.209 – 5.15.*
- Linux / Linux6.1.175 – 6.1.*
- Linux / Linux6.6.141 – 6.6.*
- Linux / Linux6.12.91 – 6.12.*
- Linux / Linux6.18.33 – 6.18.*
- Linux / Linux7.0.10 – 7.0.*
- Linux / Linux7.1 – *
References
- MISChttps://git.kernel.org/stable/c/cb3beef35ab5e0c1afca9fd7648c6ae499786377
- MISChttps://git.kernel.org/stable/c/ba758fdf1399f310b30098b6faa3fd043de47dd2
- MISChttps://git.kernel.org/stable/c/fcca1df05322bb04e344dd1178b54b76a08eb7c3
- MISChttps://git.kernel.org/stable/c/8a5e840babc5c0fbd10c73728a13192347771ec6
- MISChttps://git.kernel.org/stable/c/49e41b60ccd1bdbe9e218420f716dd5f9a2f9c71
- MISChttps://git.kernel.org/stable/c/0cab5d077dd1efd2bd1a47271acc35894f945b4f
- MISChttps://git.kernel.org/stable/c/2b5c3c040d020e3ab3b9a8887031202d96843b1e
- MISChttps://git.kernel.org/stable/c/cc1ff87bce1ccd38410ab10960f576dcd17db679