Skip to content

Commit cefb75b

Browse files
author
CKI KWF Bot
committed
Merge: ppp: stable backport for 10.2 phase 1
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/1531 JIRA: https://issues.redhat.com/browse/RHEL-115585 Upstream Status: linux.git Backport upstream PPP fixes. Signed-off-by: Guillaume Nault <gnault@redhat.com> Approved-by: Paolo Abeni <pabeni@redhat.com> Approved-by: Hangbin Liu <haliu@redhat.com> Approved-by: CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> Merged-by: CKI GitLab Kmaint Pipeline Bot <26919896-cki-kmaint-pipeline-bot@users.noreply.gitlab.com>
2 parents 1bc1e27 + 5e4176c commit cefb75b

File tree

2 files changed

+14
-10
lines changed

2 files changed

+14
-10
lines changed

drivers/net/ppp/ppp_generic.c

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1749,7 +1749,6 @@ pad_compress_skb(struct ppp *ppp, struct sk_buff *skb)
17491749
*/
17501750
if (net_ratelimit())
17511751
netdev_err(ppp->dev, "ppp: compressor dropped pkt\n");
1752-
kfree_skb(skb);
17531752
consume_skb(new_skb);
17541753
new_skb = NULL;
17551754
}
@@ -1851,9 +1850,10 @@ ppp_send_frame(struct ppp *ppp, struct sk_buff *skb)
18511850
"down - pkt dropped.\n");
18521851
goto drop;
18531852
}
1854-
skb = pad_compress_skb(ppp, skb);
1855-
if (!skb)
1853+
new_skb = pad_compress_skb(ppp, skb);
1854+
if (!new_skb)
18561855
goto drop;
1856+
skb = new_skb;
18571857
}
18581858

18591859
/*

drivers/net/ppp/pptp.c

Lines changed: 11 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -159,36 +159,38 @@ static int pptp_xmit(struct ppp_channel *chan, struct sk_buff *skb)
159159
int len;
160160
unsigned char *data;
161161
__u32 seq_recv;
162-
163-
164162
struct rtable *rt;
165163
struct net_device *tdev;
166164
struct iphdr *iph;
167165
int max_headroom;
168166

169167
if (sk_pppox(po)->sk_state & PPPOX_DEAD)
170-
goto tx_error;
168+
goto tx_drop;
171169

172170
rt = pptp_route_output(po, &fl4);
173171
if (IS_ERR(rt))
174-
goto tx_error;
172+
goto tx_drop;
175173

176174
tdev = rt->dst.dev;
177175

178176
max_headroom = LL_RESERVED_SPACE(tdev) + sizeof(*iph) + sizeof(*hdr) + 2;
179177

180178
if (skb_headroom(skb) < max_headroom || skb_cloned(skb) || skb_shared(skb)) {
181179
struct sk_buff *new_skb = skb_realloc_headroom(skb, max_headroom);
182-
if (!new_skb) {
183-
ip_rt_put(rt);
180+
181+
if (!new_skb)
184182
goto tx_error;
185-
}
183+
186184
if (skb->sk)
187185
skb_set_owner_w(new_skb, skb->sk);
188186
consume_skb(skb);
189187
skb = new_skb;
190188
}
191189

190+
/* Ensure we can safely access protocol field and LCP code */
191+
if (!pskb_may_pull(skb, 3))
192+
goto tx_error;
193+
192194
data = skb->data;
193195
islcp = ((data[0] << 8) + data[1]) == PPP_LCP && 1 <= data[2] && data[2] <= 7;
194196

@@ -262,6 +264,8 @@ static int pptp_xmit(struct ppp_channel *chan, struct sk_buff *skb)
262264
return 1;
263265

264266
tx_error:
267+
ip_rt_put(rt);
268+
tx_drop:
265269
kfree_skb(skb);
266270
return 1;
267271
}

0 commit comments

Comments
 (0)