www.infradead.org Git - users/jedix/linux-maple.git/commit

author	Ben Hutchings <ben@decadent.org.uk>
	Sun, 1 Nov 2015 16:22:53 +0000 (16:22 +0000)
committer	Chuck Anderson <chuck.anderson@oracle.com>
	Thu, 26 May 2016 22:43:29 +0000 (15:43 -0700)
commit	1f5420e98b5feb0a3320f603a4a808e6ba6e8ee4
tree	c8df1d0e6e5c945633b3b0505b3f1590e7981fac	tree
parent	8d63bd4d6869960cc4af0629b1d817895480d3ca	commit \| diff

ppp, slip: Validate VJ compression slot parameters completely

Orabug: 23330566

[ Upstream commit 4ab42d78e37a294ac7bc56901d563c642e03c4ae ]

Currently slhc_init() treats out-of-range values of rslots and tslots
as equivalent to 0, except that if tslots is too large it will
dereference a null pointer (CVE-2015-7799).

Add a range-check at the top of the function and make it return an
ERR_PTR() on error instead of NULL. Change the callers accordingly.

Compile-tested only.

Reported-by: 郭永刚 <guoyonggang@360.cn>
References: http://article.gmane.org/gmane.comp.security.oss.general/17908
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit a50a93cc99286dc444c7e5ccc7dfb9d58c2d346d)

Signed-off-by: Dan Duval <dan.duval@oracle.com>

drivers/isdn/i4l/isdn_ppp.c		diff \| blob \| history
drivers/net/ppp/ppp_generic.c		diff \| blob \| history
drivers/net/slip/slhc.c		diff \| blob \| history
drivers/net/slip/slip.c		diff \| blob \| history