Unverified Commit 7dfbf299 authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!10600 ppp: reject claimed-as-LCP but actually malformed packets 

Merge Pull Request from: @ci-robot 
 
PR sync from: Liu Jian <liujian56@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/Y2TESY5BXKG6RTDI2VETXX3L6BN6DG47/ 
 
https://gitee.com/src-openeuler/kernel/issues/IAGEN2 
 
Link:https://gitee.com/openeuler/kernel/pulls/10600

 

Reviewed-by: default avatarYue Haibing <yuehaibing@huawei.com>
Signed-off-by: default avatarYang Yingliang <yangyingliang@huawei.com>
parents 8498e656 2af10338

drivers/net/ppp/ppp_generic.c

+15 −0
Original line number Diff line number Diff line
@@ -70,6 +70,7 @@ 
#define MPHDRLEN_SSN	4	/* ditto with short sequence numbers */



#define PPP_PROTO_LEN	2

#define PPP_LCP_HDRLEN	4



/*

 * An instance of /dev/ppp can be associated with either a ppp
@@ -489,6 +490,15 @@ static ssize_t ppp_read(struct file *file, char __user *buf, 
	return ret;

}



static bool ppp_check_packet(struct sk_buff *skb, size_t count)

{

	/* LCP packets must include LCP header which 4 bytes long:

	 * 1-byte code, 1-byte identifier, and 2-byte length.

	 */

	return get_unaligned_be16(skb->data) != PPP_LCP ||

		count >= PPP_PROTO_LEN + PPP_LCP_HDRLEN;

}



static ssize_t ppp_write(struct file *file, const char __user *buf,

			 size_t count, loff_t *ppos)

{
@@ -511,6 +521,11 @@ static ssize_t ppp_write(struct file *file, const char __user *buf, 
		kfree_skb(skb);

		goto out;

	}

	ret = -EINVAL;

	if (unlikely(!ppp_check_packet(skb, count))) {

		kfree_skb(skb);

		goto out;

	}



	switch (pf->kind) {

	case INTERFACE: