Symptom
After a bad packet is received, PPP starts dropping all packets - causing all PPP sessions to go down permanently.
Conditions
This issue can be hit in release 3.9.x, 4.0.0, 4.0.1, 4.1.0 and 4.1.1.
It is fixed in 4.0.2,
4.1.2, 4.2.0 and all later releases.
The issue is triggered by PPP receiving a malformed packet. Once this packet is received, all subsequent packets are dropped by PPP - which will
cause PPP keepalives to time-out and all PPP sessions to be brought down permanently.
Workaround
This issue should only be hit when badly formed PPP packets are received
- which could be due
to a HW issue; but could also be caused by the peer device sending bad packets. There is no way to prevent PPP from hitting the issue once the
bad packet has been received.
To recover from the issue, ppp_ma needs to be restarted by issuing the
command:
process restart ppp_ma location X
Further Problem Description
To determine if this problem has been hit, look at 'show ppp trace unique location X'. If either of the following tracepoints appear
more recently than one saying 'PPP MA process is starting up', then the issue has been hit:
Oct 12 17:39:55.123 ppp/pkt/unq 0/1/CPU0 1# t2 Failed to read packet through SPIO:
'ctx' detected the 'fatal' condition 'Invalid offset argument specified'
Oct 19 00:18:32.323 ppp/pkt/unq 0/3/CPU0 1# t2 Packet from SPIO is too short
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.1:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2012-5434 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
