diff options
| author | Dan Carpenter <[email protected]> | 2020-09-09 12:46:48 +0300 |
|---|---|---|
| committer | David S. Miller <[email protected]> | 2020-09-10 13:00:04 -0700 |
| commit | 66d42ed8b25b64eb63111a2b8582c5afc8bf1105 (patch) | |
| tree | c851c9c1079fb461c454951f52b59579d80a50ac /drivers/usb/cdns3/cdns3-debug.h | |
| parent | 7d3ba9360c6dac7c077fbd6631e08f32ea2bcd53 (diff) | |
hdlc_ppp: add range checks in ppp_cp_parse_cr()
There are a couple bugs here:
1) If opt[1] is zero then this results in a forever loop. If the value
is less than 2 then it is invalid.
2) It assumes that "len" is more than sizeof(valid_accm) or 6 which can
result in memory corruption.
In the case of LCP_OPTION_ACCM, then we should check "opt[1]" instead
of "len" because, if "opt[1]" is less than sizeof(valid_accm) then
"nak_len" gets out of sync and it can lead to memory corruption in the
next iterations through the loop. In case of LCP_OPTION_MAGIC, the
only valid value for opt[1] is 6, but the code is trying to log invalid
data so we should only discard the data when "len" is less than 6
because that leads to a read overflow.
Reported-by: ChenNan Of Chaitin Security Research Lab <[email protected]>
Fixes: e022c2f07ae5 ("WAN: new synchronous PPP implementation for generic HDLC.")
Signed-off-by: Dan Carpenter <[email protected]>
Reviewed-by: Eric Dumazet <[email protected]>
Reviewed-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Diffstat (limited to 'drivers/usb/cdns3/cdns3-debug.h')
0 files changed, 0 insertions, 0 deletions