提交 7c5050e3 编写于 作者: P Paul Mackerras 提交者: David S. Miller

[PPP]: Fix skbuff.c:BUG due incorrect logic in process_input_packet()

From: Paul Mackerras <paulus@samba.org>

This fixes:

Subject: kernel BUG at net/core/skbuff.c in linux-2.6.21-rc6

process_input_packet() treats the case where the first byte is 0xff
(PPP_ALLSTATIONS) but the second byte is 0x03 (PPP_UI) as indicating a
packet with a PPP protocol number of 0xff.  Arguably that's wrong
since PPP protocol 0xff is reserved, and the RFC does envision the
possibility of receiving frames where the control field has values
other than 0x03.
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
上级 895e1fc7
...@@ -802,9 +802,9 @@ process_input_packet(struct asyncppp *ap) ...@@ -802,9 +802,9 @@ process_input_packet(struct asyncppp *ap)
/* check for address/control and protocol compression */ /* check for address/control and protocol compression */
p = skb->data; p = skb->data;
if (p[0] == PPP_ALLSTATIONS && p[1] == PPP_UI) { if (p[0] == PPP_ALLSTATIONS) {
/* chop off address/control */ /* chop off address/control */
if (skb->len < 3) if (p[1] != PPP_UI || skb->len < 3)
goto err; goto err;
p = skb_pull(skb, 2); p = skb_pull(skb, 2);
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册