From 0baa57d8dc32db78369d8b5176ef56c5e2e18ab3 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Sun, 1 Nov 2015 16:21:24 +0000 Subject: isdn_ppp: Add checks for allocation failure in isdn_ppp_open() Compile-tested only. Signed-off-by: Ben Hutchings Signed-off-by: David S. Miller --- drivers/isdn/i4l/isdn_ppp.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'drivers/isdn') diff --git a/drivers/isdn/i4l/isdn_ppp.c b/drivers/isdn/i4l/isdn_ppp.c index c4198fa490bf..86f9abebcb72 100644 --- a/drivers/isdn/i4l/isdn_ppp.c +++ b/drivers/isdn/i4l/isdn_ppp.c @@ -301,6 +301,8 @@ isdn_ppp_open(int min, struct file *file) is->compflags = 0; is->reset = isdn_ppp_ccp_reset_alloc(is); + if (!is->reset) + return -ENOMEM; is->lp = NULL; is->mp_seqno = 0; /* MP sequence number */ @@ -320,6 +322,10 @@ isdn_ppp_open(int min, struct file *file) * VJ header compression init */ is->slcomp = slhc_init(16, 16); /* not necessary for 2. link in bundle */ + if (!is->slcomp) { + isdn_ppp_ccp_reset_free(is); + return -ENOMEM; + } #endif #ifdef CONFIG_IPPP_FILTER is->pass_filter = NULL; -- cgit v1.2.3 From 4ab42d78e37a294ac7bc56901d563c642e03c4ae Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Sun, 1 Nov 2015 16:22:53 +0000 Subject: ppp, slip: Validate VJ compression slot parameters completely MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Currently slhc_init() treats out-of-range values of rslots and tslots as equivalent to 0, except that if tslots is too large it will dereference a null pointer (CVE-2015-7799). Add a range-check at the top of the function and make it return an ERR_PTR() on error instead of NULL. Change the callers accordingly. Compile-tested only. Reported-by: 郭永刚 References: http://article.gmane.org/gmane.comp.security.oss.general/17908 Signed-off-by: Ben Hutchings Signed-off-by: David S. Miller --- drivers/isdn/i4l/isdn_ppp.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) (limited to 'drivers/isdn') diff --git a/drivers/isdn/i4l/isdn_ppp.c b/drivers/isdn/i4l/isdn_ppp.c index 86f9abebcb72..9c1e8adaf4fc 100644 --- a/drivers/isdn/i4l/isdn_ppp.c +++ b/drivers/isdn/i4l/isdn_ppp.c @@ -322,9 +322,9 @@ isdn_ppp_open(int min, struct file *file) * VJ header compression init */ is->slcomp = slhc_init(16, 16); /* not necessary for 2. link in bundle */ - if (!is->slcomp) { + if (IS_ERR(is->slcomp)) { isdn_ppp_ccp_reset_free(is); - return -ENOMEM; + return PTR_ERR(is->slcomp); } #endif #ifdef CONFIG_IPPP_FILTER @@ -573,10 +573,8 @@ isdn_ppp_ioctl(int min, struct file *file, unsigned int cmd, unsigned long arg) is->maxcid = val; #ifdef CONFIG_ISDN_PPP_VJ sltmp = slhc_init(16, val); - if (!sltmp) { - printk(KERN_ERR "ippp, can't realloc slhc struct\n"); - return -ENOMEM; - } + if (IS_ERR(sltmp)) + return PTR_ERR(sltmp); if (is->slcomp) slhc_free(is->slcomp); is->slcomp = sltmp; -- cgit v1.2.3