All versions of l2tpd contain a bss-based buffer overflow. After circumventing some minor obstacles (i.e., faking a L2TP tunnel establishment) the overflow can be triggered by sending a specially crafted packet. The crucial code can be found in write_packet() in control.c: static unsigned char wbuf[MAX_RECV_SIZE]; int pos = 0; [..] e = PPP_FLAG; wbuf[pos++] = e; for (x = 0; x < buf->len; x++) { e = *((char *) buf->start + x); if ((e < 0x20) || (e == PPP_ESCAPE) || (e == PPP_FLAG)) { /* Escape this */ e = e ^ 0x20; wbuf[pos++] = PPP_ESCAPE; } wbuf[pos++] = e; } wbuf[pos++] = PPP_FLAG; Nota bene: buf->len can be upto 4080 = 4096 (=: MAX_RECV_SIZE) - 16. It might be hard or even impossible to exploit this buffer overflow. Thomas Walpuski