| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 13 Jul 2014 20:24:34 +0530
From: Varka Bhadram <varkabhadram@...il.com>
To: Christoph Schulz <develop@...stov.de>, netdev@...r.kernel.org
CC: linux-ppp@...r.kernel.org, paulus@...ba.org, isdn@...ux-pingi.de
Subject: Re: [PATCH net 1/1] net: ppp: fix creating PPP pass and active filters
On Sunday 13 July 2014 06:29 PM, Christoph Schulz wrote:
> From: Christoph Schulz <develop@...stov.de>
>
> Commit 568f194e8bd16c353ad50f9ab95d98b20578a39d ("net: ppp: use
> sk_unattached_filter api") inadvertently changed the logic when setting
> PPP pass and active filters. This applies to both the generic PPP subsystem
> implemented by drivers/net/ppp/ppp_generic.c and the ISDN PPP subsystem
> implemented by drivers/isdn/i4l/isdn_ppp.c. The original code in ppp_ioctl()
> (or isdn_ppp_ioctl(), resp.) handling PPPIOCSPASS and PPPIOCSACTIVE allowed to
> remove a pass/active filter previously set by using a filter of length zero.
> However, with the new code this is not possible anymore as this case is not
> explicitly checked for, which leads to passing NULL as a filter to
> sk_unattached_filter_create(). This results in returning EINVAL to the caller.
>
> Additionally, the variables ppp->pass_filter and ppp->active_filter (or
> is->pass_filter and is->active_filter, resp.) are not reset to NULL, although
> the filters they point to may have been destroyed by
> sk_unattached_filter_destroy(), so in this EINVAL case dangling pointers are
> left behind (provided the pointers were previously non-NULL).
>
> This patch corrects both problems by checking whether the filter passed is
> empty or non-empty, and prevents sk_unattached_filter_create() from being
> called in the first case. Moreover, the pointers are always reset to NULL
> as soon as sk_unattached_filter_destroy() returns.
>
> Signed-off-by: Christoph Schulz <develop@...stov.de>
> ---
> diff --git a/drivers/isdn/i4l/isdn_ppp.c b/drivers/isdn/i4l/isdn_ppp.c
> index 61ac632..cd2f4c3 100644
> --- a/drivers/isdn/i4l/isdn_ppp.c
> +++ b/drivers/isdn/i4l/isdn_ppp.c
> @@ -644,9 +644,15 @@ isdn_ppp_ioctl(int min, struct file *file, unsigned int cmd, unsigned long arg)
> fprog.len = len;
> fprog.filter = code;
>
> - if (is->pass_filter)
> + if (is->pass_filter) {
> sk_unattached_filter_destroy(is->pass_filter);
> - err = sk_unattached_filter_create(&is->pass_filter, &fprog);
> + is->pass_filter = NULL;
> + }
> + if (fprog.filter != NULL)
> + err = sk_unattached_filter_create(&is->pass_filter,
> + &fprog);
> + else
> + err = 0;
> kfree(code);
>
> return err;
> @@ -663,9 +669,15 @@ isdn_ppp_ioctl(int min, struct file *file, unsigned int cmd, unsigned long arg)
> fprog.len = len;
> fprog.filter = code;
>
> - if (is->active_filter)
> + if (is->active_filter) {
> sk_unattached_filter_destroy(is->active_filter);
> - err = sk_unattached_filter_create(&is->active_filter, &fprog);
> + is->active_filter = NULL;
> + }
> + if (fprog.filter != NULL)
> + err = sk_unattached_filter_create(&is->active_filter,
> + &fprog);
> + else
> + err = 0;
> kfree(code);
>
> return err;
> diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
> index 91d6c12..d0f6f93 100644
> --- a/drivers/net/ppp/ppp_generic.c
> +++ b/drivers/net/ppp/ppp_generic.c
> @@ -763,10 +763,15 @@ static long ppp_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
> };
>
> ppp_lock(ppp);
> - if (ppp->pass_filter)
> + if (ppp->pass_filter) {
> sk_unattached_filter_destroy(ppp->pass_filter);
> - err = sk_unattached_filter_create(&ppp->pass_filter,
> - &fprog);
> + ppp->pass_filter = NULL;
> + }
> + if (fprog.filter != NULL)
> + err = sk_unattached_filter_create(&ppp->pass_filter,
> + &fprog);
> + else
> + err = 0;
> kfree(code);
> ppp_unlock(ppp);
> }
> @@ -784,10 +789,15 @@ static long ppp_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
> };
>
> ppp_lock(ppp);
> - if (ppp->active_filter)
> + if (ppp->active_filter) {
> sk_unattached_filter_destroy(ppp->active_filter);
> - err = sk_unattached_filter_create(&ppp->active_filter,
> - &fprog);
> + ppp->active_filter = NULL;
> + }
> + if (fprog.filter != NULL)
> + err = sk_unattached_filter_create(&ppp->active_filter,
> + &fprog);
> + else
> + err = 0;
> kfree(code);
> ppp_unlock(ppp);
> }
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
checkpatch warnings on this patch
--
Regards,
Varka Bhadram
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists