[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <4679116E.9050507@gmail.com>
Date: Wed, 20 Jun 2007 22:37:18 +1100
From: Konstantin Sharlaimov <konstantin.sharlaimov@...il.com>
To: Paul Mackerras <paulus@...ba.org>
CC: Sergey Vlasov <vsu@...linux.ru>, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: [RFC] [PATCH 2.6.21.5] ppp: fix osize too small errors when decoding
mppe
The mppe_decompress() function required a buffer that is 1 byte too small when
receiving a message of mru size. This fixes buffer allocation to prevent this
from occurring.
Signed-off-by: Konstantin Sharlaimov <konstantin.sharlaimov@...il.com>
---
As Sergey Vlasov pointed out, ppp_mppe-account-for-osize-too-small-errors-in.patch
may cause buffer overflows on certain data. Here is another patch that should
eliminate the "osize too small" errors. Instead of patching mppe_decompress
itself, I have patched ppp_decompress_frame so it would allocate the required
extra byte when using mppe compression.
I didn't have a chance to check this patch carefully yet, but it seem to be
working as expected. Any comments would be greatly appreciated.
--- linux-2.6.21.3/drivers/net/ppp_generic.c.orig 2007-06-20 09:14:13.000000000
+1100
+++ linux-2.6.21.3/drivers/net/ppp_generic.c 2007-06-20 09:18:06.000000000 +1100
@@ -1711,7 +1711,18 @@ ppp_decompress_frame(struct ppp *ppp, st
goto err;
if (proto == PPP_COMP) {
- ns = dev_alloc_skb(ppp->mru + PPP_HDRLEN);
+ int obuff_size;
+
+ switch(ppp->rcomp->compress_proto) {
+ case CI_MPPE:
+ obuff_size = ppp->mru + PPP_HDRLEN + 1;
+ break;
+ default:
+ obuff_size = ppp->mru + PPP_HDRLEN;
+ break;
+ }
+
+ ns = dev_alloc_skb(obuff_size);
if (ns == 0) {
printk(KERN_ERR "ppp_decompress_frame: no memory\n");
goto err;
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists