fix possible buffer overflow, remove vulnerable versions

3 files changed, 18 insertions, 2 deletions

diff --git a/net-dialup/l2tpd/files/digest-l2tpd-0.69 b/net-dialup/l2tpd/files/digest-l2tpd-0.69
deleted file mode 100644
index 5697792addd2..000000000000
--- a/net-dialup/l2tpd/files/digest-l2tpd-0.69
+++ /dev/null
@@ -1,2 +0,0 @@
-MD5 c5dba6b80f583070fe9e6ed6e0c2162e l2tpd-0.69.tar.gz 127693
-MD5 0df73df624eb01307c2edff00f52b1d1 l2tpd-0.69-gcc-3.3.patch.gz 19123
diff --git a/net-dialup/l2tpd/files/digest-l2tpd-0.69-r1 b/net-dialup/l2tpd/files/digest-l2tpd-0.69-r2
index 4060c95bf5dd..4060c95bf5dd 100644
--- a/net-dialup/l2tpd/files/digest-l2tpd-0.69-r1
+++ b/net-dialup/l2tpd/files/digest-l2tpd-0.69-r2
diff --git a/net-dialup/l2tpd/files/l2tpd-0.69-can-2004-0649.patch b/net-dialup/l2tpd/files/l2tpd-0.69-can-2004-0649.patch
new file mode 100644
index 000000000000..90d3150dc4f5
--- /dev/null
+++ b/net-dialup/l2tpd/files/l2tpd-0.69-can-2004-0649.patch
@@ -0,0 +1,18 @@
+--- l2tpd-0.69.orig/control.c
++++ l2tpd-0.69/control.c
+@@ -1575,6 +1575,15 @@
+     wbuf[pos++] = e;
+     for (x = 0; x < buf->len; x++)
+     {
++		// we must at least still have 3 bytes left in the worst case scenario:
++        // 1 for a possible escape, 1 for the value and 1 to end the PPP stream.
++        if(pos >= (sizeof(wbuf) - 4)) {
++            if(DEBUG)
++                log(LOG_CRIT, "%s: rx packet is too big after PPP encoding (size %u, max is %u)\n",
++                                __FUNCTION__, buf->len, MAX_RECV_SIZE);
++            return -EINVAL;
++        }   
++
+         e = *((char *) buf->start + x);
+         if ((e < 0x20) || (e == PPP_ESCAPE) || (e == PPP_FLAG))
+         {