From: Dan Carpenter <dan.carpen...@oracle.com> Date: Wed, 9 Sep 2020 12:46:48 +0300
> There are a couple bugs here: > 1) If opt[1] is zero then this results in a forever loop. If the value > is less than 2 then it is invalid. > 2) It assumes that "len" is more than sizeof(valid_accm) or 6 which can > result in memory corruption. > > In the case of LCP_OPTION_ACCM, then we should check "opt[1]" instead > of "len" because, if "opt[1]" is less than sizeof(valid_accm) then > "nak_len" gets out of sync and it can lead to memory corruption in the > next iterations through the loop. In case of LCP_OPTION_MAGIC, the > only valid value for opt[1] is 6, but the code is trying to log invalid > data so we should only discard the data when "len" is less than 6 > because that leads to a read overflow. > > Reported-by: ChenNan Of Chaitin Security Research Lab <whutchen...@gmail.com> > Fixes: e022c2f07ae5 ("WAN: new synchronous PPP implementation for generic > HDLC.") > Signed-off-by: Dan Carpenter <dan.carpen...@oracle.com> > Reviewed-by: Eric Dumazet <eduma...@google.com> > Reviewed-by: Greg Kroah-Hartman <gre...@linuxfoundation.org> > --- > v2: check opt[1] < 6 instead of len < 6 for the LCP_OPTION_ACCM case. Applied and queued up for -stable, thanks Dan.