diff options
author | Ben Hutchings <ben@decadent.org.uk> | 2015-11-01 16:22:53 +0000 |
---|---|---|
committer | Jiri Slaby <jslaby@suse.cz> | 2016-01-27 09:56:19 +0100 |
commit | 354b254af5c1350de9586af75fe5a821b35bfb33 (patch) | |
tree | f25c18aa76ba5a18797a1b4ba8dcac686d3309ae /Makefile | |
parent | a4c5c2262fc842e0323043a23a84be706760d628 (diff) |
ppp, slip: Validate VJ compression slot parameters completely
commit 4ab42d78e37a294ac7bc56901d563c642e03c4ae upstream.
Currently slhc_init() treats out-of-range values of rslots and tslots
as equivalent to 0, except that if tslots is too large it will
dereference a null pointer (CVE-2015-7799).
Add a range-check at the top of the function and make it return an
ERR_PTR() on error instead of NULL. Change the callers accordingly.
Compile-tested only.
Reported-by: 郭永刚 <guoyonggang@360.cn>
References: http://article.gmane.org/gmane.comp.security.oss.general/17908
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Diffstat (limited to 'Makefile')
0 files changed, 0 insertions, 0 deletions