Skip to content

Commit

Permalink
[PPP]: Fix skbuff.c:BUG due incorrect logic in process_input_packet()
Browse files Browse the repository at this point in the history 
From: Paul Mackerras <paulus@samba.org>

This fixes:

Subject: kernel BUG at net/core/skbuff.c in linux-2.6.21-rc6

process_input_packet() treats the case where the first byte is 0xff
(PPP_ALLSTATIONS) but the second byte is 0x03 (PPP_UI) as indicating a
packet with a PPP protocol number of 0xff.  Arguably that's wrong
since PPP protocol 0xff is reserved, and the RFC does envision the
possibility of receiving frames where the control field has values
other than 0x03.

Signed-off-by: David S. Miller <davem@davemloft.net>
  • Loading branch information
Paul Mackerras authored and David S. Miller committed Apr 19, 2007
1 parent 895e1fc commit 7c5050e
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions drivers/net/ppp_async.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -802,9 +802,9 @@ process_input_packet(struct asyncppp *ap)

/* check for address/control and protocol compression */
p = skb->data;
if (p[0] == PPP_ALLSTATIONS && p[1] == PPP_UI) {
if (p[0] == PPP_ALLSTATIONS) {
/* chop off address/control */
if (skb->len < 3)
if (p[1] != PPP_UI || skb->len < 3)
goto err;
p = skb_pull(skb, 2);
}
Expand Down

0 comments on commit 7c5050e

Please sign in to comment.