ppp, slip: Validate VJ compression slot parameters completely - user/sven/linux.git

diff options

author	Ben Hutchings <ben@decadent.org.uk>	2015-11-01 16:22:53 +0000
committer	Luis Henriques <luis.henriques@canonical.com>	2015-11-16 11:27:22 +0000
commit	9bd814beb46d6d3d5eeb374c2b38c8b75523190a (patch)
tree	bf43484ee4da7d379f2cb8493119b5ddd41c52ca /include/linux
parent	bcd596b01fd5cea4591cd1cc8c1183f3da4bed68 (diff)

ppp, slip: Validate VJ compression slot parameters completely

commit 4ab42d78e37a294ac7bc56901d563c642e03c4ae upstream. Currently slhc_init() treats out-of-range values of rslots and tslots as equivalent to 0, except that if tslots is too large it will dereference a null pointer (CVE-2015-7799). Add a range-check at the top of the function and make it return an ERR_PTR() on error instead of NULL. Change the callers accordingly. Compile-tested only. Reported-by: 郭永刚 <guoyonggang@360.cn> References: http://article.gmane.org/gmane.comp.security.oss.general/17908 Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net> Cc: Moritz Mühlenhoff <jmm@inutil.org> Signed-off-by: Luis Henriques <luis.henriques@canonical.com>

Diffstat (limited to 'include/linux')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: