Commit 221956a2 authored by Florian Westphal's avatar Florian Westphal Committed by Willy Tarreau

ppp: deflate: never return len larger than output buffer

[ Upstream commit e2a4800e ]

When we've run out of space in the output buffer to store more data, we
will call zlib_deflate with a NULL output buffer until we've consumed
remaining input.

When this happens, olen contains the size the output buffer would have
consumed iff we'd have had enough room.

This can later cause skb_over_panic when ppp_generic skb_put()s
the returned length.
Reported-by: default avatarIain Douglas <centos@1n6.org.uk>
Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
(cherry picked from commit 8bcd6442)
Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
parent 964a5909
......@@ -269,7 +269,7 @@ static int z_compress(void *arg, unsigned char *rptr, unsigned char *obuf,
/*
* See if we managed to reduce the size of the packet.
*/
if (olen < isize) {
if (olen < isize && olen <= osize) {
state->stats.comp_bytes += olen;
state->stats.comp_packets++;
} else {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment