The mppe_decompress() function required a buffer that is 1 byte too small when
receiving a message of mru size. This fixes buffer allocation to prevent this
from occurring.
Signed-off-by: Konstantin Sharlaimov <[email protected]>
---
As Sergey Vlasov pointed out, ppp_mppe-account-for-osize-too-small-errors-in.patch
may cause buffer overflows on certain data. Here is another patch that should
eliminate the "osize too small" errors. Instead of patching mppe_decompress
itself, I have patched ppp_decompress_frame so it would allocate the required
extra byte when using mppe compression.
I didn't have a chance to check this patch carefully yet, but it seem to be
working as expected. Any comments would be greatly appreciated.
--- linux-2.6.21.3/drivers/net/ppp_generic.c.orig 2007-06-20 09:14:13.000000000
+1100
+++ linux-2.6.21.3/drivers/net/ppp_generic.c 2007-06-20 09:18:06.000000000 +1100
@@ -1711,7 +1711,18 @@ ppp_decompress_frame(struct ppp *ppp, st
goto err;
if (proto == PPP_COMP) {
- ns = dev_alloc_skb(ppp->mru + PPP_HDRLEN);
+ int obuff_size;
+
+ switch(ppp->rcomp->compress_proto) {
+ case CI_MPPE:
+ obuff_size = ppp->mru + PPP_HDRLEN + 1;
+ break;
+ default:
+ obuff_size = ppp->mru + PPP_HDRLEN;
+ break;
+ }
+
+ ns = dev_alloc_skb(obuff_size);
if (ns == 0) {
printk(KERN_ERR "ppp_decompress_frame: no memory\n");
goto err;
From: Konstantin Sharlaimov <[email protected]>
Date: Wed, 20 Jun 2007 22:37:18 +1100
> The mppe_decompress() function required a buffer that is 1 byte too small when
> receiving a message of mru size. This fixes buffer allocation to prevent this
> from occurring.
>
> Signed-off-by: Konstantin Sharlaimov <[email protected]>
This looks better, I've reverted the original version of the
fix and applied this new one.
> --- linux-2.6.21.3/drivers/net/ppp_generic.c.orig 2007-06-20 09:14:13.000000000
> +1100
> +++ linux-2.6.21.3/drivers/net/ppp_generic.c 2007-06-20 09:18:06.000000000 +1100
Please prevent your email client from corrupting patches like
this by adding new lines.
I've fixed up your patches by hand now twice, I'm not going to do it
any more.
Thanks.
On Sat, 2007-06-23 at 23:07 -0700, David Miller wrote:
The original version of this fix have made it to the 2.6.22-rc5 already
and should be replaced with this one, however the two can coexist in the
same code for a while.
> > --- linux-2.6.21.3/drivers/net/ppp_generic.c.orig 2007-06-20 09:14:13.000000000
> > +1100
> > +++ linux-2.6.21.3/drivers/net/ppp_generic.c 2007-06-20 09:18:06.000000000 +1100
>
> Please prevent your email client from corrupting patches like
> this by adding new lines.
Also, thank you for pointing this issue out, I'll fix it.