diff options
author | Guillaume Nault <g.nault@alphalink.fr> | 2016-02-23 12:59:43 (GMT) |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2016-02-25 04:52:51 (GMT) |
commit | 555d5b70f1597906dc2e31085f5e70b49d03a536 (patch) | |
tree | 6167393b53a3cece4957cca9e0167af387c573c5 /drivers | |
parent | 4fee7dab07bb2c7dfc3369e0f0e28e3fd4fc00c4 (diff) | |
download | linux-555d5b70f1597906dc2e31085f5e70b49d03a536.tar.xz |
ppp: clarify parsing of user supplied data in ppp_set_compress()
* Split big conditional statement.
* Check (data.length <= CCP_MAX_OPTION_LENGTH) only once.
* Don't read ccp_option[1] if not initialised.
Reading uninitialised ccp_option[1] was harmless, because this could
only happen when data.length was 0 or 1. So even then, we couldn't pass
the (ccp_option[1] < 2 || ccp_option[1] > data.length) test anyway.
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'drivers')
-rw-r--r-- | drivers/net/ppp/ppp_generic.c | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c index fc8ad00..04f4eb3 100644 --- a/drivers/net/ppp/ppp_generic.c +++ b/drivers/net/ppp/ppp_generic.c @@ -2429,13 +2429,15 @@ ppp_set_compress(struct ppp *ppp, unsigned long arg) unsigned char ccp_option[CCP_MAX_OPTION_LENGTH]; err = -EFAULT; - if (copy_from_user(&data, (void __user *) arg, sizeof(data)) || - (data.length <= CCP_MAX_OPTION_LENGTH && - copy_from_user(ccp_option, (void __user *) data.ptr, data.length))) + if (copy_from_user(&data, (void __user *) arg, sizeof(data))) goto out; + if (data.length > CCP_MAX_OPTION_LENGTH) + goto out; + if (copy_from_user(ccp_option, (void __user *) data.ptr, data.length)) + goto out; + err = -EINVAL; - if (data.length > CCP_MAX_OPTION_LENGTH || - ccp_option[1] < 2 || ccp_option[1] > data.length) + if (data.length < 2 || ccp_option[1] < 2 || ccp_option[1] > data.length) goto out; cp = try_then_request_module( |