projects / profile / wearable / platform / kernel / linux-3.18-exynos7270.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: cb6e949) | patch
ppp, slip: Validate VJ compression slot parameters completely 01/118101/2
authorBen Hutchings <ben@decadent.org.uk>
Sun, 1 Nov 2015 16:22:53 +0000 (16:22 +0000)
committerSeung-Woo Kim <sw0312.kim@samsung.com>
Thu, 9 Mar 2017 00:27:15 +0000 (16:27 -0800)
commit7db62fae0302de1b753020742b50392b96741eb7
treec49b1a8f82bfb936fd6200acd225cd28e4956875tree | snapshot
parentcb6e9492490f5363fcacabdf4e2341bb33d77c2ecommit | diff
ppp, slip: Validate VJ compression slot parameters completely

[ Upstream commit 4ab42d78e37a294ac7bc56901d563c642e03c4ae ]

Currently slhc_init() treats out-of-range values of rslots and tslots
as equivalent to 0, except that if tslots is too large it will
dereference a null pointer (CVE-2015-7799).

Add a range-check at the top of the function and make it return an
ERR_PTR() on error instead of NULL.  Change the callers accordingly.

Compile-tested only.

Reported-by: 郭永刚 <guoyonggang@360.cn>
References: http://article.gmane.org/gmane.comp.security.oss.general/17908
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
[mainline backport of commit 82185755d90c8047c6f4b589c39998ff3d4ca3ad]
Change-Id: Icb00d92ae3e8e8f5d4d06dd55955e1f98a2980b5
Signed-off-by: Jaechul Lee <jcsing.lee@samsung.com>
drivers/isdn/i4l/isdn_ppp.c diff | blob | history
drivers/net/ppp/ppp_generic.c diff | blob | history
drivers/net/slip/slhc.c diff | blob | history
drivers/net/slip/slip.c diff | blob | history
Domain: System / Kernel;