BUG Fix for PPP activ/passiv filter in 2.6

[Karsten Keil]

Hi all,

I found a bug in the PPPIOCSPASS PPPIOCSACTIVE IOCTL implementation in
kernel 2.5/2.6.

The current pppd code use a empty filter (uprog.len=0) to detach the filter
in the kernel, but this code was removed in 2.5.71 while fixing a compiler
warning.

Here the new patch, also with better limit checking.

The second patch check for flen == 0 in the filter check too, since later in
this code a filter[flen - 1] access is done, which is not so funny with flen
0. Maybe it's not really needed anymore, since with the first patch it would
not longer called with flen=0.

diff -urN linux-2.6.3-rc2-bk4.org/drivers/net/ppp_generic.c linux-2.6.3-rc2-bk4/drivers/net/ppp_generic.c
--- linux-2.6.3-rc2-bk4.org/drivers/net/ppp_generic.c	2004-02-11 15:31:33.000000000 +0100
+++ linux-2.6.3-rc2-bk4/drivers/net/ppp_generic.c	2004-02-14 16:39:39.000000000 +0100
@@ -675,20 +675,25 @@
 
 		if (copy_from_user(&uprog, (void __user *) arg, sizeof(uprog)))
 			break;
-		err = -ENOMEM;
-		len = uprog.len * sizeof(struct sock_filter);
-		code = kmalloc(len, GFP_KERNEL);
-		if (code == 0)
-			break;
-		err = -EFAULT;
-		if (copy_from_user(code, (void __user *) uprog.filter, len)) {
-			kfree(code);
-			break;
-		}
-		err = sk_chk_filter(code, uprog.len);
-		if (err) {
-			kfree(code);
+		err = -EINVAL;
+		if (uprog.len > BPF_MAXINSNS)
 			break;
+		err = -ENOMEM;
+		if (uprog.len > 0) {
+			len = uprog.len * sizeof(struct sock_filter);
+			code = kmalloc(len, GFP_KERNEL);
+			if (code == NULL)
+				break;
+			err = -EFAULT;
+			if (copy_from_user(code, (void __user *) uprog.filter, len)) {
+				kfree(code);
+				break;
+			}
+			err = sk_chk_filter(code, uprog.len);
+			if (err) {
+				kfree(code);
+				break;
+			}
 		}
 		filtp = (cmd == PPPIOCSPASS)? &ppp->pass_filter: &ppp->active_filter;
 		ppp_lock(ppp);
diff -urN linux-2.6.3-rc2-bk4.org/net/core/filter.c linux-2.6.3-rc2-bk4/net/core/filter.c
--- linux-2.6.3-rc2-bk4.org/net/core/filter.c	2003-12-18 03:58:39.000000000 +0100
+++ linux-2.6.3-rc2-bk4/net/core/filter.c	2004-02-14 16:39:39.000000000 +0100
@@ -332,7 +332,7 @@
 	struct sock_filter *ftest;
 	int pc;
 
-	if ((unsigned int)flen >= (~0U / sizeof(struct sock_filter)))
+	if (((unsigned int)flen >= (~0U / sizeof(struct sock_filter))) || flen == 0)
 		return -EINVAL;
 
 	/* check the filter code now */


-- 
Karsten Keil
SuSE Labs
ISDN development
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/