diff options
| author | Dan Carpenter <dan.carpenter@oracle.com> | 2020-09-09 12:46:48 +0300 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2020-09-26 18:01:29 +0200 |
| commit | 45676c0bc28eff8f46455b28e2db80a77676488b (patch) | |
| tree | b378f1f8aef79c8a2b49d1299c74546aa9058ba9 /CREDITS | |
| parent | c797110d97c48054d1491251fd713900ff51615c (diff) | |
| download | linux-stable-45676c0bc28eff8f46455b28e2db80a77676488b.tar.gz linux-stable-45676c0bc28eff8f46455b28e2db80a77676488b.tar.bz2 linux-stable-45676c0bc28eff8f46455b28e2db80a77676488b.zip | |
hdlc_ppp: add range checks in ppp_cp_parse_cr()
[ Upstream commit 66d42ed8b25b64eb63111a2b8582c5afc8bf1105 ]
There are a couple bugs here:
1) If opt[1] is zero then this results in a forever loop. If the value
is less than 2 then it is invalid.
2) It assumes that "len" is more than sizeof(valid_accm) or 6 which can
result in memory corruption.
In the case of LCP_OPTION_ACCM, then we should check "opt[1]" instead
of "len" because, if "opt[1]" is less than sizeof(valid_accm) then
"nak_len" gets out of sync and it can lead to memory corruption in the
next iterations through the loop. In case of LCP_OPTION_MAGIC, the
only valid value for opt[1] is 6, but the code is trying to log invalid
data so we should only discard the data when "len" is less than 6
because that leads to a read overflow.
Reported-by: ChenNan Of Chaitin Security Research Lab <whutchennan@gmail.com>
Fixes: e022c2f07ae5 ("WAN: new synchronous PPP implementation for generic HDLC.")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'CREDITS')
0 files changed, 0 insertions, 0 deletions