1 files changed, 28 insertions, 30 deletions
diff --git a/drivers/net/ppp_generic.c b/drivers/net/ppp_generic.c
index 9293c82ef2af..4b49d0e8c7eb 100644
--- a/drivers/net/ppp_generic.c
+++ b/drivers/net/ppp_generic.c
@@ -899,17 +899,9 @@ ppp_start_xmit(struct sk_buff *skb, struct net_device *dev)
        /* Put the 2-byte PPP protocol number on the front,
           making sure there is room for the address and control fields. */
-        if (skb_headroom(skb) < PPP_HDRLEN) {
+        if (skb_cow_head(skb, PPP_HDRLEN))
-                struct sk_buff *ns;
+                goto outf;
-                ns = alloc_skb(skb->len + dev->hard_header_len, GFP_ATOMIC);
-                if (ns == 0)
-                        goto outf;
-                skb_reserve(ns, dev->hard_header_len);
-                skb_copy_bits(skb, 0, skb_put(ns, skb->len), skb->len);
-                kfree_skb(skb);
-                skb = ns;
-        }
        pp = skb_push(skb, 2);
        proto = npindex_to_proto[npi];
        pp[0] = proto >> 8;
@@ -1533,7 +1525,7 @@ ppp_input_error(struct ppp_channel *chan, int code)
 static void
 ppp_receive_frame(struct ppp *ppp, struct sk_buff *skb, struct channel *pch)
 {
-        if (skb->len >= 2) {
+        if (pskb_may_pull(skb, 2)) {
 #ifdef CONFIG_PPP_MULTILINK
                /* XXX do channel-level decompression here */
                if (PPP_PROTO(skb) == PPP_MP)
@@ -1585,7 +1577,7 @@ ppp_receive_nonmp_frame(struct ppp *ppp, struct sk_buff *skb)
                if (ppp->vj == 0 || (ppp->flags & SC_REJ_COMP_TCP))
                        goto err;
-                if (skb_tailroom(skb) < 124) {
+                if (skb_tailroom(skb) < 124 || skb_cloned(skb)) {
                        /* copy to a new sk_buff with more tailroom */
                        ns = dev_alloc_skb(skb->len + 128);
                        if (ns == 0) {
@@ -1656,23 +1648,29 @@ ppp_receive_nonmp_frame(struct ppp *ppp, struct sk_buff *skb)
                /* check if the packet passes the pass and active filters */
                /* the filter instructions are constructed assuming
                   a four-byte PPP header on each packet */
-                *skb_push(skb, 2) = 0;
+                if (ppp->pass_filter || ppp->active_filter) {
-                if (ppp->pass_filter
+                        if (skb_cloned(skb) &&
-                    && sk_run_filter(skb, ppp->pass_filter,
+                            pskb_expand_head(skb, 0, 0, GFP_ATOMIC))
-                                     ppp->pass_len) == 0) {
+                                goto err;
-                        if (ppp->debug & 1)
-                                printk(KERN_DEBUG "PPP: inbound frame not passed\n");
+                        *skb_push(skb, 2) = 0;
-                        kfree_skb(skb);
+                        if (ppp->pass_filter
-                        return;
+                            && sk_run_filter(skb, ppp->pass_filter,
-                }
+                                             ppp->pass_len) == 0) {
-                if (!(ppp->active_filter
+                                if (ppp->debug & 1)
-                      && sk_run_filter(skb, ppp->active_filter,
+                                        printk(KERN_DEBUG "PPP: inbound frame "
-                                       ppp->active_len) == 0))
+                                               "not passed\n");
-                        ppp->last_recv = jiffies;
+                                kfree_skb(skb);
-                skb_pull(skb, 2);
+                                return;
-#else
+                        }
-                ppp->last_recv = jiffies;
+                        if (!(ppp->active_filter
+                              && sk_run_filter(skb, ppp->active_filter,
+                                               ppp->active_len) == 0))
+                                ppp->last_recv = jiffies;
+                        __skb_pull(skb, 2);
+                } else
 #endif /* CONFIG_PPP_FILTER */
+                        ppp->last_recv = jiffies;
                if ((ppp->dev->flags & IFF_UP) == 0
                    || ppp->npmode[npi] != NPMODE_PASS) {
@@ -1770,7 +1768,7 @@ ppp_receive_mp_frame(struct ppp *ppp, struct sk_buff *skb, struct channel *pch)
        struct channel *ch;
        int mphdrlen = (ppp->flags & SC_MP_SHORTSEQ)? MPHDRLEN_SSN: MPHDRLEN;
-        if (!pskb_may_pull(skb, mphdrlen) || ppp->mrru == 0)
+        if (!pskb_may_pull(skb, mphdrlen + 1) || ppp->mrru == 0)
                goto err;               /* no good, throw it away */
        /* Decode sequence number and begin/end bits */

diff --git a/drivers/net/ppp_generic.c b/drivers/net/ppp_generic.c index 9293c82ef2af..4b49d0e8c7eb 100644 --- a/drivers/net/ppp_generic.c +++ b/drivers/net/ppp_generic.c
@@ -899,17 +899,9 @@ ppp_start_xmit(struct sk_buff skb, struct net_device dev)
899		899
900	/* Put the 2-byte PPP protocol number on the front,	900	/* Put the 2-byte PPP protocol number on the front,
901	making sure there is room for the address and control fields. */	901	making sure there is room for the address and control fields. */
902	if (skb_headroom(skb) < PPP_HDRLEN) {	902	if (skb_cow_head(skb, PPP_HDRLEN))
903	struct sk_buff *ns;	903	goto outf;
904		904
905	ns = alloc_skb(skb->len + dev->hard_header_len, GFP_ATOMIC);
906	if (ns == 0)
907	goto outf;
908	skb_reserve(ns, dev->hard_header_len);
909	skb_copy_bits(skb, 0, skb_put(ns, skb->len), skb->len);
910	kfree_skb(skb);
911	skb = ns;
912	}
913	pp = skb_push(skb, 2);	905	pp = skb_push(skb, 2);
914	proto = npindex_to_proto[npi];	906	proto = npindex_to_proto[npi];
915	pp[0] = proto >> 8;	907	pp[0] = proto >> 8;
@@ -1533,7 +1525,7 @@ ppp_input_error(struct ppp_channel *chan, int code)
1533	static void	1525	static void
1534	ppp_receive_frame(struct ppp ppp, struct sk_buff skb, struct channel *pch)	1526	ppp_receive_frame(struct ppp ppp, struct sk_buff skb, struct channel *pch)
1535	{	1527	{
1536	if (skb->len >= 2) {	1528	if (pskb_may_pull(skb, 2)) {
1537	#ifdef CONFIG_PPP_MULTILINK	1529	#ifdef CONFIG_PPP_MULTILINK
1538	/* XXX do channel-level decompression here */	1530	/* XXX do channel-level decompression here */
1539	if (PPP_PROTO(skb) == PPP_MP)	1531	if (PPP_PROTO(skb) == PPP_MP)
@@ -1585,7 +1577,7 @@ ppp_receive_nonmp_frame(struct ppp ppp, struct sk_buff skb)
1585	if (ppp->vj == 0 \|\| (ppp->flags & SC_REJ_COMP_TCP))	1577	if (ppp->vj == 0 \|\| (ppp->flags & SC_REJ_COMP_TCP))
1586	goto err;	1578	goto err;
1587		1579
1588	if (skb_tailroom(skb) < 124) {	1580	if (skb_tailroom(skb) < 124 \|\| skb_cloned(skb)) {
1589	/* copy to a new sk_buff with more tailroom */	1581	/* copy to a new sk_buff with more tailroom */
1590	ns = dev_alloc_skb(skb->len + 128);	1582	ns = dev_alloc_skb(skb->len + 128);
1591	if (ns == 0) {	1583	if (ns == 0) {
@@ -1656,23 +1648,29 @@ ppp_receive_nonmp_frame(struct ppp ppp, struct sk_buff skb)
1656	/* check if the packet passes the pass and active filters */	1648	/* check if the packet passes the pass and active filters */
1657	/* the filter instructions are constructed assuming	1649	/* the filter instructions are constructed assuming
1658	a four-byte PPP header on each packet */	1650	a four-byte PPP header on each packet */
1659	*skb_push(skb, 2) = 0;	1651	if (ppp->pass_filter \|\| ppp->active_filter) {
1660	if (ppp->pass_filter	1652	if (skb_cloned(skb) &&
1661	&& sk_run_filter(skb, ppp->pass_filter,	1653	pskb_expand_head(skb, 0, 0, GFP_ATOMIC))
1662	ppp->pass_len) == 0) {	1654	goto err;
1663	if (ppp->debug & 1)	1655
1664	printk(KERN_DEBUG "PPP: inbound frame not passed\n");	1656	*skb_push(skb, 2) = 0;
1665	kfree_skb(skb);	1657	if (ppp->pass_filter
1666	return;	1658	&& sk_run_filter(skb, ppp->pass_filter,
1667	}	1659	ppp->pass_len) == 0) {
1668	if (!(ppp->active_filter	1660	if (ppp->debug & 1)
1669	&& sk_run_filter(skb, ppp->active_filter,	1661	printk(KERN_DEBUG "PPP: inbound frame "
1670	ppp->active_len) == 0))	1662	"not passed\n");
1671	ppp->last_recv = jiffies;	1663	kfree_skb(skb);
1672	skb_pull(skb, 2);	1664	return;
1673	#else	1665	}
1674	ppp->last_recv = jiffies;	1666	if (!(ppp->active_filter
		1667	&& sk_run_filter(skb, ppp->active_filter,
		1668	ppp->active_len) == 0))
		1669	ppp->last_recv = jiffies;
		1670	__skb_pull(skb, 2);
		1671	} else
1675	#endif /* CONFIG_PPP_FILTER */	1672	#endif /* CONFIG_PPP_FILTER */
		1673	ppp->last_recv = jiffies;
1676		1674
1677	if ((ppp->dev->flags & IFF_UP) == 0	1675	if ((ppp->dev->flags & IFF_UP) == 0
1678	\|\| ppp->npmode[npi] != NPMODE_PASS) {	1676	\|\| ppp->npmode[npi] != NPMODE_PASS) {
@@ -1770,7 +1768,7 @@ ppp_receive_mp_frame(struct ppp ppp, struct sk_buff skb, struct channel *pch)
1770	struct channel *ch;	1768	struct channel *ch;
1771	int mphdrlen = (ppp->flags & SC_MP_SHORTSEQ)? MPHDRLEN_SSN: MPHDRLEN;	1769	int mphdrlen = (ppp->flags & SC_MP_SHORTSEQ)? MPHDRLEN_SSN: MPHDRLEN;
1772		1770
1773	if (!pskb_may_pull(skb, mphdrlen) \|\| ppp->mrru == 0)	1771	if (!pskb_may_pull(skb, mphdrlen + 1) \|\| ppp->mrru == 0)
1774	goto err; /* no good, throw it away */	1772	goto err; /* no good, throw it away */
1775		1773
1776	/* Decode sequence number and begin/end bits */	1774	/* Decode sequence number and begin/end bits */