Call init_timer() for ISDN PPP CCP reset state timer (CVE-2006-5749)

The function isdn_ppp_ccp_reset_alloc_state() sets ->timer.function and ->timer.data and later on calls add_timer() with no init_timer() ever done. Noted by Al Viro. Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Adrian Bunk <bunk@stusta.de>

Call init_timer() for ISDN PPP CCP reset state timer (CVE-2006-5749)
The function isdn_ppp_ccp_reset_alloc_state() sets ->timer.function and ->timer.data and later on calls add_timer() with no init_timer() ever done. Noted by Al Viro. Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Adrian Bunk <bunk@stusta.de>
bb3e712f · Marcel Holtmann · Adrian Bunk · 7c876d45 · bb3e712f
Commit bb3e712f authored Jan 04, 2007 by Marcel Holtmann Committed by Adrian Bunk Jan 04, 2007
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 0 deletions

drivers/isdn/i4l/isdn_ppp.c drivers/isdn/i4l/isdn_ppp.c +1 -0

No files found.
--- a/drivers/isdn/i4l/isdn_ppp.c
+++ b/drivers/isdn/i4l/isdn_ppp.c
@@ -2346,6 +2346,7 @@ static struct ippp_ccp_reset_state *isdn_ppp_ccp_reset_alloc_state(struct ippp_s
 		rs->state = CCPResetIdle;
 		rs->is = is;
 		rs->id = id;
+		init_timer(&rs->timer);
 		rs->timer.data = (unsigned long)rs;
 		rs->timer.function = isdn_ppp_ccp_timer_callback;
 		is->reset->rs[id] = rs;