From: Dan Carpenter <dan.carpen...@oracle.com>
Date: Wed, 9 Sep 2020 12:46:48 +0300
> There are a couple bugs here:
> 1) If opt[1] is zero then this results in a forever loop. If the value
> is less than 2 then it is invalid.
> 2) It assumes that "len" is more than sizeof(valid_accm) or 6 which can
> result in memory corruption.
>
> In the case of LCP_OPTION_ACCM, then we should check "opt[1]" instead
> of "len" because, if "opt[1]" is less than sizeof(valid_accm) then
> "nak_len" gets out of sync and it can lead to memory corruption in the
> next iterations through the loop. In case of LCP_OPTION_MAGIC, the
> only valid value for opt[1] is 6, but the code is trying to log invalid
> data so we should only discard the data when "len" is less than 6
> because that leads to a read overflow.
>
> Reported-by: ChenNan Of Chaitin Security Research Lab <whutchen...@gmail.com>
> Fixes: e022c2f07ae5 ("WAN: new synchronous PPP implementation for generic
> HDLC.")
> Signed-off-by: Dan Carpenter <dan.carpen...@oracle.com>
> Reviewed-by: Eric Dumazet <eduma...@google.com>
> Reviewed-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
> ---
> v2: check opt[1] < 6 instead of len < 6 for the LCP_OPTION_ACCM case.
Applied and queued up for -stable, thanks Dan.
