On Tue, 05 Jun 2007 22:23:02 +1100 Konstantin Sharlaimov wrote: > Prevent mppe_decompress() from generating "osize too small" errors when checking > for output buffer size. When receiving a packet of mru size the output buffer > for decrypted data is 1 byte too small since mppe_decompress() tries to account > for possible PFC, however later in code it is assumed no PFC. > > Adjusting the check prevented there errors from occurring. > > Signed-off-by: Konstantin Sharlaimov <[email protected]> > --- > --- linux-2.6.21.3/drivers/net/ppp_mppe.c.orig 2007-06-01 20:57:04.000000000 +1100 > +++ linux-2.6.21.3/drivers/net/ppp_mppe.c 2007-06-05 21:46:30.000000000 +1100 > @@ -493,14 +493,14 @@ mppe_decompress(void *arg, unsigned char > > /* > * Make sure we have enough room to decrypt the packet. > - * Note that for our test we only subtract 1 byte whereas in > - * mppe_compress() we added 2 bytes (+MPPE_OVHD); > - * this is to account for possible PFC. > + * To account for possible PFC we should only subtract 1 > + * byte whereas in mppe_compress() we added 2 bytes (+MPPE_OVHD); > + * However, we assume no PFC, thus subtracting 2 bytes. > */ > - if (osize < isize - MPPE_OVHD - 1) { > + if (osize < isize - MPPE_OVHD - 2) { > printk(KERN_DEBUG "mppe_decompress[%d]: osize too small! " > "(have: %d need: %d)\n", state->unit, > - osize, isize - MPPE_OVHD - 1); > + osize, isize - MPPE_OVHD - 2); > return DECOMP_ERROR; > } > osize = isize - MPPE_OVHD - 2; /* assume no PFC */ Seems that this patch is not correct - even though the comment above says "assume no PFC", the subsequent code actually supports PFC: /* * Do PFC decompression. * This would be nicer if we were given the actual sk_buff * instead of a char *. */ if ((obuf[0] & 0x01) != 0) { obuf[1] = obuf[0]; obuf[0] = 0; obuf++; osize++; } Therefore, depending on the packet contents, the decompressor may really need that extra byte in the output buffer, and changing the check may cause buffer overflows.
Attachment:
pgp87HpAV81R3.pgp
Description: PGP signature
- Follow-Ups:
- References:
- [PATCH 2.6.21.3] ppp_mppe: account for osize too small errors in mppe_decompress()
- From: Konstantin Sharlaimov <[email protected]>
- [PATCH 2.6.21.3] ppp_mppe: account for osize too small errors in mppe_decompress()
- Prev by Date: Re: [RFC][PATCH -mm take5 6/7] add ioctls for adding/removing target
- Next by Date: Re: [PATCH 8/8] cpuidle: first round of documentation updates
- Previous by thread: [PATCH 2.6.21.3] ppp_mppe: account for osize too small errors in mppe_decompress()
- Next by thread: Re: [PATCH 2.6.21.3] ppp_mppe: account for osize too small errors in mppe_decompress()
- Index(es):
 |