From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Iain Douglas <centos@1n6.org.uk>,
Florian Westphal <fw@strlen.de>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 3.18 15/20] ppp: deflate: never return len larger than output buffer
Date: Tue, 24 Feb 2015 18:10:30 -0800 [thread overview]
Message-ID: <20150225020854.725054138@linuxfoundation.org> (raw)
In-Reply-To: <20150225020854.096477776@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit e2a4800e75780ccf4e6c2487f82b688ba736eb18 ]
When we've run out of space in the output buffer to store more data, we
will call zlib_deflate with a NULL output buffer until we've consumed
remaining input.
When this happens, olen contains the size the output buffer would have
consumed iff we'd have had enough room.
This can later cause skb_over_panic when ppp_generic skb_put()s
the returned length.
Reported-by: Iain Douglas <centos@1n6.org.uk>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ppp/ppp_deflate.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/ppp/ppp_deflate.c
+++ b/drivers/net/ppp/ppp_deflate.c
@@ -246,7 +246,7 @@ static int z_compress(void *arg, unsigne
/*
* See if we managed to reduce the size of the packet.
*/
- if (olen < isize) {
+ if (olen < isize && olen <= osize) {
state->stats.comp_bytes += olen;
state->stats.comp_packets++;
} else {
next prev parent reply other threads:[~2015-02-25 2:10 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-25 2:10 [PATCH 3.18 00/20] 3.18.8-stable review Greg Kroah-Hartman
2015-02-25 2:10 ` [PATCH 3.18 01/20] ip: zero sockaddr returned on error queue Greg Kroah-Hartman
2015-02-25 2:10 ` [PATCH 3.18 02/20] net: rps: fix cpu unplug Greg Kroah-Hartman
2015-02-25 2:10 ` [PATCH 3.18 03/20] ipv6: stop sending PTB packets for MTU < 1280 Greg Kroah-Hartman
2015-02-25 2:10 ` [PATCH 3.18 04/20] netxen: fix netxen_nic_poll() logic Greg Kroah-Hartman
2015-02-25 2:10 ` [PATCH 3.18 05/20] net: sctp: fix slab corruption from use after free on INIT collisions Greg Kroah-Hartman
2015-02-25 2:10 ` [PATCH 3.18 06/20] ipv4: try to cache dst_entries which would cause a redirect Greg Kroah-Hartman
2015-02-25 2:10 ` [PATCH 3.18 07/20] udp_diag: Fix socket skipping within chain Greg Kroah-Hartman
2015-02-25 2:10 ` [PATCH 3.18 08/20] ping: Fix race in free in receive path Greg Kroah-Hartman
2015-02-25 2:10 ` [PATCH 3.18 09/20] ipv6: replacing a rt6_info needs to purge possible propagated rt6_infos too Greg Kroah-Hartman
2015-02-25 2:10 ` [PATCH 3.18 10/20] bnx2x: fix napi poll return value for repoll Greg Kroah-Hartman
2015-02-25 2:10 ` [PATCH 3.18 11/20] net: dont OOPS on socket aio Greg Kroah-Hartman
2015-02-25 2:10 ` [PATCH 3.18 12/20] bridge: dont send notification when skb->len == 0 in rtnl_bridge_notify Greg Kroah-Hartman
2015-02-25 2:10 ` [PATCH 3.18 13/20] tcp: ipv4: initialize unicast_sock sk_pacing_rate Greg Kroah-Hartman
2015-02-25 2:10 ` [PATCH 3.18 14/20] ipv4: tcp: get rid of ugly unicast_sock Greg Kroah-Hartman
2015-02-25 2:10 ` Greg Kroah-Hartman [this message]
2015-02-25 2:10 ` [PATCH 3.18 16/20] net: sctp: fix passing wrong parameter header to param_type2af in sctp_process_param Greg Kroah-Hartman
2015-02-25 2:10 ` [PATCH 3.18 17/20] hyperv: Fix the error processing in netvsc_send() Greg Kroah-Hartman
2015-02-25 2:10 ` [PATCH 3.18 18/20] net: sched: fix panic in rate estimators Greg Kroah-Hartman
2015-02-25 2:10 ` [PATCH 3.18 20/20] [media] media/rc: Send sync space information on the lirc device Greg Kroah-Hartman
2015-02-25 16:46 ` [PATCH 3.18 00/20] 3.18.8-stable review Guenter Roeck
2015-02-25 17:52 ` Greg Kroah-Hartman
2015-02-25 20:56 ` Shuah Khan
2015-02-25 21:07 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150225020854.725054138@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=centos@1n6.org.uk \
--cc=davem@davemloft.net \
--cc=fw@strlen.de \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).