CVE-2006-0037

A local user can trigger the vulnerability by sending a crafted outbound PPTP packet that causes an incorrect offset to be calculated from pointer arithmetic when non-linear SKBs (socket buffers) are used [ref_id=1]. The advisory describes this as an error in the PPTP NAT helper's handling of inbound PPTP_IN_CALL_REQUEST packets, which can be exploited to cause random memory corruption and crash the kernel [ref_id=1]. No authentication beyond local access is required.

The vulnerability resides in `ip_nat_pptp` within the PPTP NAT helper (`netfilter/ip_nat_helper_pptp.c`) in Linux kernel 2.6.14 and other versions. The flaw occurs when handling inbound PPTP_IN_CALL_REQUEST packets, where an error in offset calculation from pointer arithmetic on non-linear SKBs (socket buffers) can lead to random memory corruption or a kernel crash [ref_id=1].

The advisory does not include a patch diff, but the fix is delivered as part of a kernel update to version 2.6.15.1-1tr [ref_id=1]. The update addresses the missing validation in the PPTP NAT helper's offset calculation when processing non-linear SKBs, ensuring that pointer arithmetic produces correct offsets and preventing the memory corruption or crash.