aboutsummaryrefslogtreecommitdiffstats
path: root/drivers
diff options
context:
space:
mode:
authorHerbert Xu <herbert@gondor.apana.org.au>2008-06-10 17:07:25 -0400
committerDavid S. Miller <davem@davemloft.net>2008-06-10 17:07:25 -0400
commit392fdb0e35055b96faa9c1cd6ab537805337cdce (patch)
treec39f1c89c575df054f60439dbffe7fc0a1f32f8b /drivers
parentea23ec26727b4df97b4965715f0519b6ddc0aa4b (diff)
net pppoe: Check packet length on all receive paths
The length field in the PPPOE header wasn't checked completely. This patch causes all packets shorter than the declared length to be dropped. It also changes the memcpy_toiovec call to skb_copy_datagram_iovec so that paged packets (rare for PPPOE) are handled properly. Thanks to Ilja of the Netric Security Team for discovering and reporting this bug, and Chris Wright for the total_len check. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/net/pppoe.c31
1 files changed, 17 insertions, 14 deletions
diff --git a/drivers/net/pppoe.c b/drivers/net/pppoe.c
index 58a26a47af29..d89ccfd6650c 100644
--- a/drivers/net/pppoe.c
+++ b/drivers/net/pppoe.c
@@ -341,12 +341,6 @@ static int pppoe_rcv_core(struct sock *sk, struct sk_buff *skb)
341 struct pppox_sock *relay_po; 341 struct pppox_sock *relay_po;
342 342
343 if (sk->sk_state & PPPOX_BOUND) { 343 if (sk->sk_state & PPPOX_BOUND) {
344 struct pppoe_hdr *ph = pppoe_hdr(skb);
345 int len = ntohs(ph->length);
346 skb_pull_rcsum(skb, sizeof(struct pppoe_hdr));
347 if (pskb_trim_rcsum(skb, len))
348 goto abort_kfree;
349
350 ppp_input(&po->chan, skb); 344 ppp_input(&po->chan, skb);
351 } else if (sk->sk_state & PPPOX_RELAY) { 345 } else if (sk->sk_state & PPPOX_RELAY) {
352 relay_po = get_item_by_addr(&po->pppoe_relay); 346 relay_po = get_item_by_addr(&po->pppoe_relay);
@@ -357,7 +351,6 @@ static int pppoe_rcv_core(struct sock *sk, struct sk_buff *skb)
357 if ((sk_pppox(relay_po)->sk_state & PPPOX_CONNECTED) == 0) 351 if ((sk_pppox(relay_po)->sk_state & PPPOX_CONNECTED) == 0)
358 goto abort_put; 352 goto abort_put;
359 353
360 skb_pull(skb, sizeof(struct pppoe_hdr));
361 if (!__pppoe_xmit(sk_pppox(relay_po), skb)) 354 if (!__pppoe_xmit(sk_pppox(relay_po), skb))
362 goto abort_put; 355 goto abort_put;
363 } else { 356 } else {
@@ -388,6 +381,7 @@ static int pppoe_rcv(struct sk_buff *skb,
388{ 381{
389 struct pppoe_hdr *ph; 382 struct pppoe_hdr *ph;
390 struct pppox_sock *po; 383 struct pppox_sock *po;
384 int len;
391 385
392 if (!(skb = skb_share_check(skb, GFP_ATOMIC))) 386 if (!(skb = skb_share_check(skb, GFP_ATOMIC)))
393 goto out; 387 goto out;
@@ -399,10 +393,21 @@ static int pppoe_rcv(struct sk_buff *skb,
399 goto drop; 393 goto drop;
400 394
401 ph = pppoe_hdr(skb); 395 ph = pppoe_hdr(skb);
396 len = ntohs(ph->length);
397
398 skb_pull_rcsum(skb, sizeof(*ph));
399 if (skb->len < len)
400 goto drop;
402 401
403 po = get_item(ph->sid, eth_hdr(skb)->h_source, dev->ifindex); 402 po = get_item(ph->sid, eth_hdr(skb)->h_source, dev->ifindex);
404 if (po != NULL) 403 if (!po)
405 return sk_receive_skb(sk_pppox(po), skb, 0); 404 goto drop;
405
406 if (pskb_trim_rcsum(skb, len))
407 goto drop;
408
409 return sk_receive_skb(sk_pppox(po), skb, 0);
410
406drop: 411drop:
407 kfree_skb(skb); 412 kfree_skb(skb);
408out: 413out:
@@ -937,12 +942,10 @@ static int pppoe_recvmsg(struct kiocb *iocb, struct socket *sock,
937 m->msg_namelen = 0; 942 m->msg_namelen = 0;
938 943
939 if (skb) { 944 if (skb) {
940 struct pppoe_hdr *ph = pppoe_hdr(skb); 945 total_len = min(total_len, skb->len);
941 const int len = ntohs(ph->length); 946 error = skb_copy_datagram_iovec(skb, 0, m->msg_iov, total_len);
942
943 error = memcpy_toiovec(m->msg_iov, (unsigned char *) &ph->tag[0], len);
944 if (error == 0) 947 if (error == 0)
945 error = len; 948 error = total_len;
946 } 949 }
947 950
948 kfree_skb(skb); 951 kfree_skb(skb);