hdlc_ppp: add range checks in ppp_cp_parse_cr()
There are a couple bugs here:
1) If opt[1] is zero then this results in a forever loop. If the value
is less than 2 then it is invalid.
2) It assumes that "len" is more than sizeof(valid_accm) or 6 which can
result in memory corruption.
In the case of LCP_OPTION_ACCM, then we should check "opt[1]" instead
of "len" because, if "opt[1]" is less than sizeof(valid_accm) then
"nak_len" gets out of sync and it can lead to memory corruption in the
next iterations through the loop. In case of LCP_OPTION_MAGIC, the
only valid value for opt[1] is 6, but the code is trying to log invalid
data so we should only discard the data when "len" is less than 6
because that leads to a read overflow.
Reported-by: ChenNan Of Chaitin Security Research Lab <whutchennan@gmail.com>
Fixes: e022c2f07a
("WAN: new synchronous PPP implementation for generic HDLC.")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
7d3ba9360c
commit
66d42ed8b2
|
@ -383,11 +383,8 @@ static void ppp_cp_parse_cr(struct net_device *dev, u16 pid, u8 id,
|
|||
}
|
||||
|
||||
for (opt = data; len; len -= opt[1], opt += opt[1]) {
|
||||
if (len < 2 || len < opt[1]) {
|
||||
dev->stats.rx_errors++;
|
||||
kfree(out);
|
||||
return; /* bad packet, drop silently */
|
||||
}
|
||||
if (len < 2 || opt[1] < 2 || len < opt[1])
|
||||
goto err_out;
|
||||
|
||||
if (pid == PID_LCP)
|
||||
switch (opt[0]) {
|
||||
|
@ -395,6 +392,8 @@ static void ppp_cp_parse_cr(struct net_device *dev, u16 pid, u8 id,
|
|||
continue; /* MRU always OK and > 1500 bytes? */
|
||||
|
||||
case LCP_OPTION_ACCM: /* async control character map */
|
||||
if (opt[1] < sizeof(valid_accm))
|
||||
goto err_out;
|
||||
if (!memcmp(opt, valid_accm,
|
||||
sizeof(valid_accm)))
|
||||
continue;
|
||||
|
@ -406,6 +405,8 @@ static void ppp_cp_parse_cr(struct net_device *dev, u16 pid, u8 id,
|
|||
}
|
||||
break;
|
||||
case LCP_OPTION_MAGIC:
|
||||
if (len < 6)
|
||||
goto err_out;
|
||||
if (opt[1] != 6 || (!opt[2] && !opt[3] &&
|
||||
!opt[4] && !opt[5]))
|
||||
break; /* reject invalid magic number */
|
||||
|
@ -424,6 +425,11 @@ static void ppp_cp_parse_cr(struct net_device *dev, u16 pid, u8 id,
|
|||
ppp_cp_event(dev, pid, RCR_GOOD, CP_CONF_ACK, id, req_len, data);
|
||||
|
||||
kfree(out);
|
||||
return;
|
||||
|
||||
err_out:
|
||||
dev->stats.rx_errors++;
|
||||
kfree(out);
|
||||
}
|
||||
|
||||
static int ppp_rx(struct sk_buff *skb)
|
||||
|
|
Loading…
Reference in New Issue