[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1157067913.2634.3.camel@localhost.localdomain>
Date: Thu, 31 Aug 2006 18:45:13 -0500
From: Paul Fulghum <paulkf@...rogate.com>
To: Eric Sesterhenn <snakebyte@....de>
Cc: linux-kernel@...r.kernel.org
Subject: Re: [Patch] Uninitialized variable in drivers/net/wan/syncppp.c
On Fri, 2006-09-01 at 01:13 +0200, Eric Sesterhenn wrote:
> --- linux-2.6.18-rc5/drivers/net/wan/syncppp.c.orig 2006-09-01 00:55:08.000000000 +0200
> +++ linux-2.6.18-rc5/drivers/net/wan/syncppp.c 2006-09-01 00:55:45.000000000 +0200
> @@ -505,14 +505,15 @@ static void sppp_lcp_input (struct sppp
> skb->len, h);
> break;
> case LCP_CONF_REQ:
> - if (len < 4) {
> + if (len <= 4) {
> if (sp->pp_flags & PP_DEBUG)
> printk (KERN_DEBUG"%s: invalid lcp configure request packet length: %d bytes\n",
> dev->name, len);
> break;
> }
> - if (len>4 && !sppp_lcp_conf_parse_options (sp, h, len, &rmagic))
> + if (!sppp_lcp_conf_parse_options (sp, h, len, &rmagic))
> goto badreq;
> +
> if (rmagic == sp->lcp.magic) {
> /* Local and remote magics equal -- loopback? */
> if (sp->pp_loopcnt >= MAXALIVECNT*5) {
This is not correct.
>>From RFC1661:
Valid LCP configuration requests can have zero options (len == 4).
If the magic number option is not included in the LCP CFG REQ,
then the magic number should be treated as zero.
The correct fix is to initialize rmagic to zero before
the if (len>4 && !sppp_lcp_conf_parse_options()) line.
--
Paul
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists