The isdn_ppp_ccp_reset_alloc_state function in drivers/isdn/isdn_ppp.c in the Linux 2.4 kernel before 2.4.34-rc4 does not call the init_timer function for the ISDN PPP CCP reset state timer, which has unknown attack vectors and results in a system crash.
Linux kernel versions 2.4.x are vulnerable to a denial-of-service (DoS) attack due to a missing timer initialization in the ISDN PPP CCP reset function. This flaw allows an attacker to trigger a kernel panic, rendering the system unusable and potentially leading to data loss.
Step 1: Trigger ISDN PPP CCP Reset: An attacker must initiate a reset of the ISDN PPP CCP (Compression Control Protocol). This can be achieved by sending specific network packets or manipulating ISDN PPP configuration.
Step 2: Function Call: The isdn_ppp_ccp_reset_alloc_state function is called as part of the reset process.
Step 3: Missing Initialization: The function fails to call init_timer on the ISDN PPP CCP reset state timer.
Step 4: Timer Use: The uninitialized timer is later used by the kernel, either directly or indirectly.
Step 5: Kernel Panic: Due to the uninitialized timer, the kernel attempts to access invalid memory locations, resulting in a kernel panic and system crash.
The vulnerability lies within the isdn_ppp_ccp_reset_alloc_state function in drivers/isdn/isdn_ppp.c of the Linux 2.4 kernel. The function fails to initialize the init_timer structure for the ISDN PPP CCP reset state timer. This means the timer is not properly set up before being used. When the timer is triggered (or attempted to be used), the kernel attempts to access uninitialized memory, leading to a kernel panic and system crash. The root cause is a missing call to init_timer(&timer_variable) before the timer is used. This results in undefined behavior and a crash when the timer expires or is accessed.