diff options
| author | Ben Hutchings <ben@decadent.org.uk> | 2015-11-01 11:22:53 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2015-11-02 16:25:00 -0500 |
| commit | 4ab42d78e37a294ac7bc56901d563c642e03c4ae (patch) | |
| tree | eed185aafd345a302f05711c3e6d5d80fca7c3f9 /drivers/net/ppp | |
| parent | 0baa57d8dc32db78369d8b5176ef56c5e2e18ab3 (diff) | |
ppp, slip: Validate VJ compression slot parameters completely
Currently slhc_init() treats out-of-range values of rslots and tslots
as equivalent to 0, except that if tslots is too large it will
dereference a null pointer (CVE-2015-7799).
Add a range-check at the top of the function and make it return an
ERR_PTR() on error instead of NULL. Change the callers accordingly.
Compile-tested only.
Reported-by: 郭永刚 <guoyonggang@360.cn>
References: http://article.gmane.org/gmane.comp.security.oss.general/17908
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'drivers/net/ppp')
| -rw-r--r-- | drivers/net/ppp/ppp_generic.c | 6 |
1 files changed, 2 insertions, 4 deletions
diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c index ed00446759b2..9a863c6a6a33 100644 --- a/drivers/net/ppp/ppp_generic.c +++ b/drivers/net/ppp/ppp_generic.c | |||
| @@ -721,10 +721,8 @@ static long ppp_ioctl(struct file *file, unsigned int cmd, unsigned long arg) | |||
| 721 | val &= 0xffff; | 721 | val &= 0xffff; |
| 722 | } | 722 | } |
| 723 | vj = slhc_init(val2+1, val+1); | 723 | vj = slhc_init(val2+1, val+1); |
| 724 | if (!vj) { | 724 | if (IS_ERR(vj)) { |
| 725 | netdev_err(ppp->dev, | 725 | err = PTR_ERR(vj); |
| 726 | "PPP: no memory (VJ compressor)\n"); | ||
| 727 | err = -ENOMEM; | ||
| 728 | break; | 726 | break; |
| 729 | } | 727 | } |
| 730 | ppp_lock(ppp); | 728 | ppp_lock(ppp); |