Patch "ppp: deflate: never return len larger than output buffer" has been added to the 3.18-stable tree

Wed, 11 Feb 2015 18:01:06 -0800 

This is a note to let you know that I've just added the patch titled

    ppp: deflate: never return len larger than output buffer

to the 3.18-stable tree which can be found at:
    
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     ppp-deflate-never-return-len-larger-than-output-buffer.patch
and it can be found in the queue-3.18 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.


>From foo@baz Thu Feb 12 09:25:54 HKT 2015
From: Florian Westphal <[email protected]>
Date: Wed, 28 Jan 2015 10:56:04 +0100
Subject: ppp: deflate: never return len larger than output buffer

From: Florian Westphal <[email protected]>

[ Upstream commit e2a4800e75780ccf4e6c2487f82b688ba736eb18 ]

When we've run out of space in the output buffer to store more data, we
will call zlib_deflate with a NULL output buffer until we've consumed
remaining input.

When this happens, olen contains the size the output buffer would have
consumed iff we'd have had enough room.

This can later cause skb_over_panic when ppp_generic skb_put()s
the returned length.

Reported-by: Iain Douglas <[email protected]>
Signed-off-by: Florian Westphal <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
 drivers/net/ppp/ppp_deflate.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/ppp/ppp_deflate.c
+++ b/drivers/net/ppp/ppp_deflate.c
@@ -246,7 +246,7 @@ static int z_compress(void *arg, unsigne
        /*
         * See if we managed to reduce the size of the packet.
         */
-       if (olen < isize) {
+       if (olen < isize && olen <= osize) {
                state->stats.comp_bytes += olen;
                state->stats.comp_packets++;
        } else {


Patches currently in stable-queue which might be from [email protected] are

queue-3.18/ppp-deflate-never-return-len-larger-than-output-buffer.patch
queue-3.18/ipv4-try-to-cache-dst_entries-which-would-cause-a-redirect.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to