Commit cf4389cb authored by Andrew Morton's avatar Andrew Morton Committed by Linus Torvalds

[PATCH] Fix for PPP activ/passiv filter

From: Karsten Keil <kkeil@suse.de>

I found a bug in the PPPIOCSPASS PPPIOCSACTIVE IOCTL implementation in
kernel 2.5/2.6.

The current pppd code use a empty filter (uprog.len=0) to detach the filter
in the kernel, but this code was removed in 2.5.71 while fixing a compiler
warning.

Here the new patch, also with better limit checking.

The second patch check for flen == 0 in the filter check too, since later
in this code a filter[flen - 1] access is done, which is not so funny with
flen 0.  Maybe it's not really needed anymore, since with the first patch
it would not longer called with flen=0.

paulus says:

    It looks correct.  Previously we had (and in 2.4 we still have)

        if (uprog.len > 0 && uprog.len < 65536) {
		...

    which gave warnings since uprog.len is unsigned short.  So someone
    decided that both parts of the condition were redundant.
parent 93ab17e8
...@@ -675,20 +675,25 @@ static int ppp_ioctl(struct inode *inode, struct file *file, ...@@ -675,20 +675,25 @@ static int ppp_ioctl(struct inode *inode, struct file *file,
if (copy_from_user(&uprog, (void __user *) arg, sizeof(uprog))) if (copy_from_user(&uprog, (void __user *) arg, sizeof(uprog)))
break; break;
err = -ENOMEM; err = -EINVAL;
len = uprog.len * sizeof(struct sock_filter); if (uprog.len > BPF_MAXINSNS)
code = kmalloc(len, GFP_KERNEL);
if (code == 0)
break;
err = -EFAULT;
if (copy_from_user(code, (void __user *) uprog.filter, len)) {
kfree(code);
break;
}
err = sk_chk_filter(code, uprog.len);
if (err) {
kfree(code);
break; break;
err = -ENOMEM;
if (uprog.len > 0) {
len = uprog.len * sizeof(struct sock_filter);
code = kmalloc(len, GFP_KERNEL);
if (code == NULL)
break;
err = -EFAULT;
if (copy_from_user(code, (void __user *) uprog.filter, len)) {
kfree(code);
break;
}
err = sk_chk_filter(code, uprog.len);
if (err) {
kfree(code);
break;
}
} }
filtp = (cmd == PPPIOCSPASS)? &ppp->pass_filter: &ppp->active_filter; filtp = (cmd == PPPIOCSPASS)? &ppp->pass_filter: &ppp->active_filter;
ppp_lock(ppp); ppp_lock(ppp);
......
...@@ -332,7 +332,7 @@ int sk_chk_filter(struct sock_filter *filter, int flen) ...@@ -332,7 +332,7 @@ int sk_chk_filter(struct sock_filter *filter, int flen)
struct sock_filter *ftest; struct sock_filter *ftest;
int pc; int pc;
if ((unsigned int)flen >= (~0U / sizeof(struct sock_filter))) if (((unsigned int)flen >= (~0U / sizeof(struct sock_filter))) || flen == 0)
return -EINVAL; return -EINVAL;
/* check the filter code now */ /* check the filter code now */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment