From 555d5b70f1597906dc2e31085f5e70b49d03a536 Mon Sep 17 00:00:00 2001 From: Guillaume Nault Date: Tue, 23 Feb 2016 13:59:43 +0100 Subject: [PATCH] ppp: clarify parsing of user supplied data in ppp_set_compress() * Split big conditional statement. * Check (data.length <= CCP_MAX_OPTION_LENGTH) only once. * Don't read ccp_option[1] if not initialised. Reading uninitialised ccp_option[1] was harmless, because this could only happen when data.length was 0 or 1. So even then, we couldn't pass the (ccp_option[1] < 2 || ccp_option[1] > data.length) test anyway. Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller --- drivers/net/ppp/ppp_generic.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c index fc8ad001bc94..04f4eb34fa80 100644 --- a/drivers/net/ppp/ppp_generic.c +++ b/drivers/net/ppp/ppp_generic.c @@ -2429,13 +2429,15 @@ ppp_set_compress(struct ppp *ppp, unsigned long arg) unsigned char ccp_option[CCP_MAX_OPTION_LENGTH]; err = -EFAULT; - if (copy_from_user(&data, (void __user *) arg, sizeof(data)) || - (data.length <= CCP_MAX_OPTION_LENGTH && - copy_from_user(ccp_option, (void __user *) data.ptr, data.length))) + if (copy_from_user(&data, (void __user *) arg, sizeof(data))) goto out; + if (data.length > CCP_MAX_OPTION_LENGTH) + goto out; + if (copy_from_user(ccp_option, (void __user *) data.ptr, data.length)) + goto out; + err = -EINVAL; - if (data.length > CCP_MAX_OPTION_LENGTH || - ccp_option[1] < 2 || ccp_option[1] > data.length) + if (data.length < 2 || ccp_option[1] < 2 || ccp_option[1] > data.length) goto out; cp = try_then_request_module( -- 2.20.1