diff options
author | Ben Hutchings <ben@decadent.org.uk> | 2015-11-01 16:22:53 +0000 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2015-11-02 16:25:00 -0500 |
commit | 4ab42d78e37a294ac7bc56901d563c642e03c4ae (patch) | |
tree | eed185aafd345a302f05711c3e6d5d80fca7c3f9 /drivers/net/slip/slip.c | |
parent | 0baa57d8dc32db78369d8b5176ef56c5e2e18ab3 (diff) | |
download | op-kernel-dev-4ab42d78e37a294ac7bc56901d563c642e03c4ae.zip op-kernel-dev-4ab42d78e37a294ac7bc56901d563c642e03c4ae.tar.gz |
ppp, slip: Validate VJ compression slot parameters completely
Currently slhc_init() treats out-of-range values of rslots and tslots
as equivalent to 0, except that if tslots is too large it will
dereference a null pointer (CVE-2015-7799).
Add a range-check at the top of the function and make it return an
ERR_PTR() on error instead of NULL. Change the callers accordingly.
Compile-tested only.
Reported-by: 郭永刚 <guoyonggang@360.cn>
References: http://article.gmane.org/gmane.comp.security.oss.general/17908
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'drivers/net/slip/slip.c')
-rw-r--r-- | drivers/net/slip/slip.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/net/slip/slip.c b/drivers/net/slip/slip.c index 05387b1..a17d86a 100644 --- a/drivers/net/slip/slip.c +++ b/drivers/net/slip/slip.c @@ -164,7 +164,7 @@ static int sl_alloc_bufs(struct slip *sl, int mtu) if (cbuff == NULL) goto err_exit; slcomp = slhc_init(16, 16); - if (slcomp == NULL) + if (IS_ERR(slcomp)) goto err_exit; #endif spin_lock_bh(&sl->lock); |