The pppol2tp_xmit function in drivers/net/pppol2tp.c in the L2TP
implementation in the Linux kernel before 2.6.34 does not properly validate
certain values associated with an interface, which allows attackers to
cause a denial of service (NULL pointer dereference and OOPS) or possibly
have unspecified other impact via vectors related to a routing change.
James Chapman discovered that L2TP did not correctly evaluate checksum
capabilities. If an attacker could make malicious routing changes, they
could crash the system, leading to a denial of service.
Updated: 2015-10-17 03:35:32 UTC (commit 10086)