[RFC] [PATCH 2.6.21.5] ppp: fix osize too small errors when decoding mppe

[RFC] [PATCH 2.6.21.5] ppp: fix osize too small errors when decoding mppe

[Konstantin Sharlaimov]

The mppe_decompress() function required a buffer that is 1 byte too small when
receiving a message of mru size. This fixes buffer allocation to prevent this
from occurring.

Signed-off-by: Konstantin Sharlaimov <konstantin.sharlaimov@gmail.com>
---
As Sergey Vlasov pointed out, ppp_mppe-account-for-osize-too-small-errors-in.patch
may cause buffer overflows on certain data. Here is another patch that should
eliminate the "osize too small" errors. Instead of patching mppe_decompress
itself, I have patched ppp_decompress_frame so it would allocate the required
extra byte when using mppe compression.

I didn't have a chance to check this patch carefully yet, but it seem to be
working as expected. Any comments would be greatly appreciated.

--- linux-2.6.21.3/drivers/net/ppp_generic.c.orig	2007-06-20 09:14:13.000000000
+1100
+++ linux-2.6.21.3/drivers/net/ppp_generic.c	2007-06-20 09:18:06.000000000 +1100
@@ -1711,7 +1711,18 @@ ppp_decompress_frame(struct ppp *ppp, st
 		goto err;

 	if (proto == PPP_COMP) {
-		ns = dev_alloc_skb(ppp->mru + PPP_HDRLEN);
+		int obuff_size;
+
+		switch(ppp->rcomp->compress_proto) {
+		case CI_MPPE:
+			obuff_size = ppp->mru + PPP_HDRLEN + 1;
+			break;
+		default:
+			obuff_size = ppp->mru + PPP_HDRLEN;
+			break;
+		}
+
+		ns = dev_alloc_skb(obuff_size);
 		if (ns == 0) {
 			printk(KERN_ERR "ppp_decompress_frame: no memory\n");
 			goto err;

Re: [RFC] [PATCH 2.6.21.5] ppp: fix osize too small errors when decoding mppe

[David Miller]

From: Konstantin Sharlaimov <konstantin.sharlaimov@gmail.com>
Date: Wed, 20 Jun 2007 22:37:18 +1100

> The mppe_decompress() function required a buffer that is 1 byte too small when
> receiving a message of mru size. This fixes buffer allocation to prevent this
> from occurring.
> 
> Signed-off-by: Konstantin Sharlaimov <konstantin.sharlaimov@gmail.com>

This looks better, I've reverted the original version of the
fix and applied this new one.

> --- linux-2.6.21.3/drivers/net/ppp_generic.c.orig	2007-06-20 09:14:13.000000000
> +1100
> +++ linux-2.6.21.3/drivers/net/ppp_generic.c	2007-06-20 09:18:06.000000000 +1100

Please prevent your email client from corrupting patches like
this by adding new lines.

I've fixed up your patches by hand now twice, I'm not going to do it
any more.

Thanks.

Re: [RFC] [PATCH 2.6.21.5] ppp: fix osize too small errors when decoding mppe

[Konstantin Sharlaimov]

On Sat, 2007-06-23 at 23:07 -0700, David Miller wrote:

The original version of this fix have made it to the 2.6.22-rc5 already
and should be replaced with this one, however the two can coexist in the
same code for a while.

> > --- linux-2.6.21.3/drivers/net/ppp_generic.c.orig	2007-06-20 09:14:13.000000000
> > +1100
> > +++ linux-2.6.21.3/drivers/net/ppp_generic.c	2007-06-20 09:18:06.000000000 +1100
> 
> Please prevent your email client from corrupting patches like
> this by adding new lines.

Also, thank you for pointing this issue out, I'll fix it.