git.proxmox.com Git - mirror_ubuntu-focal-kernel.git/commit

author	Dan Carpenter <dan.carpenter@oracle.com>
	Wed, 9 Sep 2020 09:46:48 +0000 (12:46 +0300)
committer	Stefan Bader <stefan.bader@canonical.com>
	Mon, 9 Nov 2020 13:47:06 +0000 (14:47 +0100)
commit	f4e7841ff56004f6b461473171e2a64060c468e4
tree	6580dded699773b34d49116cf7baab848a286679	tree
parent	2a5129dce9b73f9c7b4f4361fb7964df37dc0bb0	commit \| diff

hdlc_ppp: add range checks in ppp_cp_parse_cr()

BugLink: https://bugs.launchpad.net/bugs/1899511
[ Upstream commit 66d42ed8b25b64eb63111a2b8582c5afc8bf1105 ]

There are a couple bugs here:
1) If opt[1] is zero then this results in a forever loop.  If the value
   is less than 2 then it is invalid.
2) It assumes that "len" is more than sizeof(valid_accm) or 6 which can
   result in memory corruption.

In the case of LCP_OPTION_ACCM, then  we should check "opt[1]" instead
of "len" because, if "opt[1]" is less than sizeof(valid_accm) then
"nak_len" gets out of sync and it can lead to memory corruption in the
next iterations through the loop.  In case of LCP_OPTION_MAGIC, the
only valid value for opt[1] is 6, but the code is trying to log invalid
data so we should only discard the data when "len" is less than 6
because that leads to a read overflow.

Reported-by: ChenNan Of Chaitin Security Research Lab <whutchennan@gmail.com>
Fixes: e022c2f07ae5 ("WAN: new synchronous PPP implementation for generic HDLC.")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Ian May <ian.may@canonical.com>