Commit f2aeb730 authored by Dmitry Antipov's avatar Dmitry Antipov Committed by Paolo Abeni

ppp: reject claimed-as-LCP but actually malformed packets

Since 'ppp_async_encode()' assumes valid LCP packets (with code
from 1 to 7 inclusive), add 'ppp_check_packet()' to ensure that
LCP packet has an actual body beyond PPP_LCP header bytes, and
reject claimed-as-LCP but actually malformed data otherwise.

Reported-by: syzbot+ec0723ba9605678b14bf@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=ec0723ba9605678b14bf
Fixes: 1da177e4 ("Linux-2.6.12-rc2")
Signed-off-by: default avatarDmitry Antipov <dmantipov@yandex.ru>
Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
parent 8c6790b5
...@@ -70,6 +70,7 @@ ...@@ -70,6 +70,7 @@
#define MPHDRLEN_SSN 4 /* ditto with short sequence numbers */ #define MPHDRLEN_SSN 4 /* ditto with short sequence numbers */
#define PPP_PROTO_LEN 2 #define PPP_PROTO_LEN 2
#define PPP_LCP_HDRLEN 4
/* /*
* An instance of /dev/ppp can be associated with either a ppp * An instance of /dev/ppp can be associated with either a ppp
...@@ -493,6 +494,15 @@ static ssize_t ppp_read(struct file *file, char __user *buf, ...@@ -493,6 +494,15 @@ static ssize_t ppp_read(struct file *file, char __user *buf,
return ret; return ret;
} }
static bool ppp_check_packet(struct sk_buff *skb, size_t count)
{
/* LCP packets must include LCP header which 4 bytes long:
* 1-byte code, 1-byte identifier, and 2-byte length.
*/
return get_unaligned_be16(skb->data) != PPP_LCP ||
count >= PPP_PROTO_LEN + PPP_LCP_HDRLEN;
}
static ssize_t ppp_write(struct file *file, const char __user *buf, static ssize_t ppp_write(struct file *file, const char __user *buf,
size_t count, loff_t *ppos) size_t count, loff_t *ppos)
{ {
...@@ -515,6 +525,11 @@ static ssize_t ppp_write(struct file *file, const char __user *buf, ...@@ -515,6 +525,11 @@ static ssize_t ppp_write(struct file *file, const char __user *buf,
kfree_skb(skb); kfree_skb(skb);
goto out; goto out;
} }
ret = -EINVAL;
if (unlikely(!ppp_check_packet(skb, count))) {
kfree_skb(skb);
goto out;
}
switch (pf->kind) { switch (pf->kind) {
case INTERFACE: case INTERFACE:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment