From 7e4a6da7c2a1e0df06b71dc4ddc31910229ba9d9 Mon Sep 17 00:00:00 2001 From: "David S. Miller" Date: Sat, 23 Jun 2007 23:04:11 -0700 Subject: [PPP]: Revert 606f585e363527da9feaed79465132c0c661fd9e This can cause packet buffer overflows in certain cases, the real bug will be fixed differently in a followon changeset. Signed-off-by: David S. Miller --- drivers/net/ppp_mppe.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'drivers') diff --git a/drivers/net/ppp_mppe.c b/drivers/net/ppp_mppe.c index 5ae80bbe2ed..d5bdd257465 100644 --- a/drivers/net/ppp_mppe.c +++ b/drivers/net/ppp_mppe.c @@ -493,14 +493,14 @@ mppe_decompress(void *arg, unsigned char *ibuf, int isize, unsigned char *obuf, /* * Make sure we have enough room to decrypt the packet. - * To account for possible PFC we should only subtract 1 - * byte whereas in mppe_compress() we added 2 bytes (+MPPE_OVHD); - * However, we assume no PFC, thus subtracting 2 bytes. + * Note that for our test we only subtract 1 byte whereas in + * mppe_compress() we added 2 bytes (+MPPE_OVHD); + * this is to account for possible PFC. */ - if (osize < isize - MPPE_OVHD - 2) { + if (osize < isize - MPPE_OVHD - 1) { printk(KERN_DEBUG "mppe_decompress[%d]: osize too small! " "(have: %d need: %d)\n", state->unit, - osize, isize - MPPE_OVHD - 2); + osize, isize - MPPE_OVHD - 1); return DECOMP_ERROR; } osize = isize - MPPE_OVHD - 2; /* assume no PFC */ -- cgit v1.2.3 From 4b2a8fb3a7f7935f62a7bbdc851789fb7c2da032 Mon Sep 17 00:00:00 2001 From: Konstantin Sharlaimov Date: Sat, 23 Jun 2007 23:05:54 -0700 Subject: [PPP]: Fix osize too small errors when decoding mppe. The mppe_decompress() function required a buffer that is 1 byte too small when receiving a message of mru size. This fixes buffer allocation to prevent this from occurring. Signed-off-by: Konstantin Sharlaimov Signed-off-by: David S. Miller --- drivers/net/ppp_generic.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) (limited to 'drivers') diff --git a/drivers/net/ppp_generic.c b/drivers/net/ppp_generic.c index 541168713f1..3ef0092dc09 100644 --- a/drivers/net/ppp_generic.c +++ b/drivers/net/ppp_generic.c @@ -1708,7 +1708,18 @@ ppp_decompress_frame(struct ppp *ppp, struct sk_buff *skb) goto err; if (proto == PPP_COMP) { - ns = dev_alloc_skb(ppp->mru + PPP_HDRLEN); + int obuff_size; + + switch(ppp->rcomp->compress_proto) { + case CI_MPPE: + obuff_size = ppp->mru + PPP_HDRLEN + 1; + break; + default: + obuff_size = ppp->mru + PPP_HDRLEN; + break; + } + + ns = dev_alloc_skb(obuff_size); if (ns == 0) { printk(KERN_ERR "ppp_decompress_frame: no memory\n"); goto err; -- cgit v1.2.3