summaryrefslogtreecommitdiff
path: root/drivers
diff options
context:
space:
mode:
authorGuillaume Nault <g.nault@alphalink.fr>2016-02-23 12:59:43 (GMT)
committerDavid S. Miller <davem@davemloft.net>2016-02-25 04:52:51 (GMT)
commit555d5b70f1597906dc2e31085f5e70b49d03a536 (patch)
tree6167393b53a3cece4957cca9e0167af387c573c5 /drivers
parent4fee7dab07bb2c7dfc3369e0f0e28e3fd4fc00c4 (diff)
downloadlinux-555d5b70f1597906dc2e31085f5e70b49d03a536.tar.xz
ppp: clarify parsing of user supplied data in ppp_set_compress()
* Split big conditional statement. * Check (data.length <= CCP_MAX_OPTION_LENGTH) only once. * Don't read ccp_option[1] if not initialised. Reading uninitialised ccp_option[1] was harmless, because this could only happen when data.length was 0 or 1. So even then, we couldn't pass the (ccp_option[1] < 2 || ccp_option[1] > data.length) test anyway. Signed-off-by: Guillaume Nault <g.nault@alphalink.fr> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/net/ppp/ppp_generic.c12
1 files changed, 7 insertions, 5 deletions
diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
index fc8ad00..04f4eb3 100644
--- a/drivers/net/ppp/ppp_generic.c
+++ b/drivers/net/ppp/ppp_generic.c
@@ -2429,13 +2429,15 @@ ppp_set_compress(struct ppp *ppp, unsigned long arg)
unsigned char ccp_option[CCP_MAX_OPTION_LENGTH];
err = -EFAULT;
- if (copy_from_user(&data, (void __user *) arg, sizeof(data)) ||
- (data.length <= CCP_MAX_OPTION_LENGTH &&
- copy_from_user(ccp_option, (void __user *) data.ptr, data.length)))
+ if (copy_from_user(&data, (void __user *) arg, sizeof(data)))
goto out;
+ if (data.length > CCP_MAX_OPTION_LENGTH)
+ goto out;
+ if (copy_from_user(ccp_option, (void __user *) data.ptr, data.length))
+ goto out;
+
err = -EINVAL;
- if (data.length > CCP_MAX_OPTION_LENGTH ||
- ccp_option[1] < 2 || ccp_option[1] > data.length)
+ if (data.length < 2 || ccp_option[1] < 2 || ccp_option[1] > data.length)
goto out;
cp = try_then_request_module(