Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 97d1efd8 authored by Dmitry Antipov's avatar Dmitry Antipov Committed by Greg Kroah-Hartman
Browse files

ppp: reject claimed-as-LCP but actually malformed packets 



[ Upstream commit f2aeb7306a898e1cbd03963d376f4b6656ca2b55 ]

Since 'ppp_async_encode()' assumes valid LCP packets (with code
from 1 to 7 inclusive), add 'ppp_check_packet()' to ensure that
LCP packet has an actual body beyond PPP_LCP header bytes, and
reject claimed-as-LCP but actually malformed data otherwise.

Reported-by: default avatar <syzbot+ec0723ba9605678b14bf@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=ec0723ba9605678b14bf


Fixes: 1da177e4 ("Linux-2.6.12-rc2")
Signed-off-by: default avatarDmitry Antipov <dmantipov@yandex.ru>
Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
parent 1a2db00a

drivers/net/ppp/ppp_generic.c

+15 −0
Original line number Diff line number Diff line
@@ -74,6 +74,7 @@ 
#define MPHDRLEN_SSN	4	/* ditto with short sequence numbers */



#define PPP_PROTO_LEN	2

#define PPP_LCP_HDRLEN	4



/*

 * An instance of /dev/ppp can be associated with either a ppp
@@ -495,6 +496,15 @@ static ssize_t ppp_read(struct file *file, char __user *buf, 
	return ret;

}



static bool ppp_check_packet(struct sk_buff *skb, size_t count)

{

	/* LCP packets must include LCP header which 4 bytes long:

	 * 1-byte code, 1-byte identifier, and 2-byte length.

	 */

	return get_unaligned_be16(skb->data) != PPP_LCP ||

		count >= PPP_PROTO_LEN + PPP_LCP_HDRLEN;

}



static ssize_t ppp_write(struct file *file, const char __user *buf,

			 size_t count, loff_t *ppos)

{
@@ -517,6 +527,11 @@ static ssize_t ppp_write(struct file *file, const char __user *buf, 
		kfree_skb(skb);

		goto out;

	}

	ret = -EINVAL;

	if (unlikely(!ppp_check_packet(skb, count))) {

		kfree_skb(skb);

		goto out;

	}



	switch (pf->kind) {

	case INTERFACE: