aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKonstantin Sharlaimov <konstantin.sharlaimov@gmail.com>2007-06-24 02:05:54 -0400
committerDavid S. Miller <davem@davemloft.net>2007-06-24 02:05:54 -0400
commit4b2a8fb3a7f7935f62a7bbdc851789fb7c2da032 (patch)
tree73481354594bdab8a9208619ac9dd3f1ce47f424
parent7e4a6da7c2a1e0df06b71dc4ddc31910229ba9d9 (diff)
[PPP]: Fix osize too small errors when decoding mppe.
The mppe_decompress() function required a buffer that is 1 byte too small when receiving a message of mru size. This fixes buffer allocation to prevent this from occurring. Signed-off-by: Konstantin Sharlaimov <konstantin.sharlaimov@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--drivers/net/ppp_generic.c13
1 files changed, 12 insertions, 1 deletions
diff --git a/drivers/net/ppp_generic.c b/drivers/net/ppp_generic.c
index 541168713f1f..3ef0092dc09c 100644
--- a/drivers/net/ppp_generic.c
+++ b/drivers/net/ppp_generic.c
@@ -1708,7 +1708,18 @@ ppp_decompress_frame(struct ppp *ppp, struct sk_buff *skb)
1708 goto err; 1708 goto err;
1709 1709
1710 if (proto == PPP_COMP) { 1710 if (proto == PPP_COMP) {
1711 ns = dev_alloc_skb(ppp->mru + PPP_HDRLEN); 1711 int obuff_size;
1712
1713 switch(ppp->rcomp->compress_proto) {
1714 case CI_MPPE:
1715 obuff_size = ppp->mru + PPP_HDRLEN + 1;
1716 break;
1717 default:
1718 obuff_size = ppp->mru + PPP_HDRLEN;
1719 break;
1720 }
1721
1722 ns = dev_alloc_skb(obuff_size);
1712 if (ns == 0) { 1723 if (ns == 0) {
1713 printk(KERN_ERR "ppp_decompress_frame: no memory\n"); 1724 printk(KERN_ERR "ppp_decompress_frame: no memory\n");
1714 goto err; 1725 goto err;