lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 13 Jul 2014 20:24:34 +0530 From: Varka Bhadram <varkabhadram@...il.com> To: Christoph Schulz <develop@...stov.de>, netdev@...r.kernel.org CC: linux-ppp@...r.kernel.org, paulus@...ba.org, isdn@...ux-pingi.de Subject: Re: [PATCH net 1/1] net: ppp: fix creating PPP pass and active filters On Sunday 13 July 2014 06:29 PM, Christoph Schulz wrote: > From: Christoph Schulz <develop@...stov.de> > > Commit 568f194e8bd16c353ad50f9ab95d98b20578a39d ("net: ppp: use > sk_unattached_filter api") inadvertently changed the logic when setting > PPP pass and active filters. This applies to both the generic PPP subsystem > implemented by drivers/net/ppp/ppp_generic.c and the ISDN PPP subsystem > implemented by drivers/isdn/i4l/isdn_ppp.c. The original code in ppp_ioctl() > (or isdn_ppp_ioctl(), resp.) handling PPPIOCSPASS and PPPIOCSACTIVE allowed to > remove a pass/active filter previously set by using a filter of length zero. > However, with the new code this is not possible anymore as this case is not > explicitly checked for, which leads to passing NULL as a filter to > sk_unattached_filter_create(). This results in returning EINVAL to the caller. > > Additionally, the variables ppp->pass_filter and ppp->active_filter (or > is->pass_filter and is->active_filter, resp.) are not reset to NULL, although > the filters they point to may have been destroyed by > sk_unattached_filter_destroy(), so in this EINVAL case dangling pointers are > left behind (provided the pointers were previously non-NULL). > > This patch corrects both problems by checking whether the filter passed is > empty or non-empty, and prevents sk_unattached_filter_create() from being > called in the first case. Moreover, the pointers are always reset to NULL > as soon as sk_unattached_filter_destroy() returns. > > Signed-off-by: Christoph Schulz <develop@...stov.de> > --- > diff --git a/drivers/isdn/i4l/isdn_ppp.c b/drivers/isdn/i4l/isdn_ppp.c > index 61ac632..cd2f4c3 100644 > --- a/drivers/isdn/i4l/isdn_ppp.c > +++ b/drivers/isdn/i4l/isdn_ppp.c > @@ -644,9 +644,15 @@ isdn_ppp_ioctl(int min, struct file *file, unsigned int cmd, unsigned long arg) > fprog.len = len; > fprog.filter = code; > > - if (is->pass_filter) > + if (is->pass_filter) { > sk_unattached_filter_destroy(is->pass_filter); > - err = sk_unattached_filter_create(&is->pass_filter, &fprog); > + is->pass_filter = NULL; > + } > + if (fprog.filter != NULL) > + err = sk_unattached_filter_create(&is->pass_filter, > + &fprog); > + else > + err = 0; > kfree(code); > > return err; > @@ -663,9 +669,15 @@ isdn_ppp_ioctl(int min, struct file *file, unsigned int cmd, unsigned long arg) > fprog.len = len; > fprog.filter = code; > > - if (is->active_filter) > + if (is->active_filter) { > sk_unattached_filter_destroy(is->active_filter); > - err = sk_unattached_filter_create(&is->active_filter, &fprog); > + is->active_filter = NULL; > + } > + if (fprog.filter != NULL) > + err = sk_unattached_filter_create(&is->active_filter, > + &fprog); > + else > + err = 0; > kfree(code); > > return err; > diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c > index 91d6c12..d0f6f93 100644 > --- a/drivers/net/ppp/ppp_generic.c > +++ b/drivers/net/ppp/ppp_generic.c > @@ -763,10 +763,15 @@ static long ppp_ioctl(struct file *file, unsigned int cmd, unsigned long arg) > }; > > ppp_lock(ppp); > - if (ppp->pass_filter) > + if (ppp->pass_filter) { > sk_unattached_filter_destroy(ppp->pass_filter); > - err = sk_unattached_filter_create(&ppp->pass_filter, > - &fprog); > + ppp->pass_filter = NULL; > + } > + if (fprog.filter != NULL) > + err = sk_unattached_filter_create(&ppp->pass_filter, > + &fprog); > + else > + err = 0; > kfree(code); > ppp_unlock(ppp); > } > @@ -784,10 +789,15 @@ static long ppp_ioctl(struct file *file, unsigned int cmd, unsigned long arg) > }; > > ppp_lock(ppp); > - if (ppp->active_filter) > + if (ppp->active_filter) { > sk_unattached_filter_destroy(ppp->active_filter); > - err = sk_unattached_filter_create(&ppp->active_filter, > - &fprog); > + ppp->active_filter = NULL; > + } > + if (fprog.filter != NULL) > + err = sk_unattached_filter_create(&ppp->active_filter, > + &fprog); > + else > + err = 0; > kfree(code); > ppp_unlock(ppp); > } > -- > To unsubscribe from this list: send the line "unsubscribe netdev" in > the body of a message to majordomo@...r.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html checkpatch warnings on this patch -- Regards, Varka Bhadram -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists