!10608 CVE-2024-41044 (75538b09) · Commits · EulixOS / Software / Kernel

drivers/net/ppp/ppp_generic.c

+21 −1

Original line number	Diff line number	Diff line
		@@ -73,6 +73,9 @@
		#define MPHDRLEN 6 /* multilink protocol header length */
		#define MPHDRLEN_SSN 4 /* ditto with short sequence numbers */

		#define PPP_PROTO_LEN 2
		#define PPP_LCP_HDRLEN 4

		/*
		* An instance of /dev/ppp can be associated with either a ppp
		* interface unit or a ppp channel. In both cases, file->private_data
		@@ -493,6 +496,15 @@ static ssize_t ppp_read(struct file file, char __user buf,
		return ret;
		}

		static bool ppp_check_packet(struct sk_buff *skb, size_t count)
		{
		/* LCP packets must include LCP header which 4 bytes long:
		* 1-byte code, 1-byte identifier, and 2-byte length.
		*/
		return get_unaligned_be16(skb->data) != PPP_LCP \|\|
		count >= PPP_PROTO_LEN + PPP_LCP_HDRLEN;
		}

		static ssize_t ppp_write(struct file file, const char __user buf,
		size_t count, loff_t *ppos)
		{
		@@ -502,6 +514,9 @@ static ssize_t ppp_write(struct file file, const char __user buf,

		if (!pf)
		return -ENXIO;
		/* All PPP packets should start with the 2-byte protocol */
		if (count < PPP_PROTO_LEN)
		return -EINVAL;
		ret = -ENOMEM;
		skb = alloc_skb(count + pf->hdrlen, GFP_KERNEL);
		if (!skb)
		@@ -512,6 +527,11 @@ static ssize_t ppp_write(struct file file, const char __user buf,
		kfree_skb(skb);
		goto out;
		}
		ret = -EINVAL;
		if (unlikely(!ppp_check_packet(skb, count))) {
		kfree_skb(skb);
		goto out;
		}

		switch (pf->kind) {
		case INTERFACE:
		@@ -1539,7 +1559,7 @@ ppp_send_frame(struct ppp ppp, struct sk_buff skb)
		}

		++ppp->stats64.tx_packets;
		ppp->stats64.tx_bytes += skb->len - 2;
		ppp->stats64.tx_bytes += skb->len - PPP_PROTO_LEN;

		switch (proto) {
		case PPP_IP: