Commit 2af10338 authored by Dmitry Antipov's avatar Dmitry Antipov Committed by Liu Jian
Browse files

ppp: reject claimed-as-LCP but actually malformed packets 

stable inclusion
from stable-v5.10.222
commit 3ba12c2afd933fc1bf800f6d3f6c7ec8f602ce56
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGEN2
CVE: CVE-2024-41044

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=3ba12c2afd933fc1bf800f6d3f6c7ec8f602ce56



---------------------------

[ Upstream commit f2aeb7306a898e1cbd03963d376f4b6656ca2b55 ]

Since 'ppp_async_encode()' assumes valid LCP packets (with code
from 1 to 7 inclusive), add 'ppp_check_packet()' to ensure that
LCP packet has an actual body beyond PPP_LCP header bytes, and
reject claimed-as-LCP but actually malformed data otherwise.

Reported-by: default avatar <syzbot+ec0723ba9605678b14bf@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=ec0723ba9605678b14bf


Fixes: 1da177e4 ("Linux-2.6.12-rc2")
Signed-off-by: default avatarDmitry Antipov <dmantipov@yandex.ru>
Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Signed-off-by: default avatarLiu Jian <liujian56@huawei.com>
parent 632b5bcf

drivers/net/ppp/ppp_generic.c

+15 −0
Original line number Diff line number Diff line
@@ -70,6 +70,7 @@ 
#define MPHDRLEN_SSN	4	/* ditto with short sequence numbers */



#define PPP_PROTO_LEN	2

#define PPP_LCP_HDRLEN	4



/*

 * An instance of /dev/ppp can be associated with either a ppp
@@ -489,6 +490,15 @@ static ssize_t ppp_read(struct file *file, char __user *buf, 
	return ret;

}



static bool ppp_check_packet(struct sk_buff *skb, size_t count)

{

	/* LCP packets must include LCP header which 4 bytes long:

	 * 1-byte code, 1-byte identifier, and 2-byte length.

	 */

	return get_unaligned_be16(skb->data) != PPP_LCP ||

		count >= PPP_PROTO_LEN + PPP_LCP_HDRLEN;

}



static ssize_t ppp_write(struct file *file, const char __user *buf,

			 size_t count, loff_t *ppos)

{
@@ -511,6 +521,11 @@ static ssize_t ppp_write(struct file *file, const char __user *buf, 
		kfree_skb(skb);

		goto out;

	}

	ret = -EINVAL;

	if (unlikely(!ppp_check_packet(skb, count))) {

		kfree_skb(skb);

		goto out;

	}



	switch (pf->kind) {

	case INTERFACE: