From: Florian Westphal Date: Wed, 28 Jan 2015 09:56:04 +0000 (+0100) Subject: ppp: deflate: never return len larger than output buffer X-Git-Tag: firefly_0821_release~176^2~2421^2~31 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=e2a4800e75780ccf4e6c2487f82b688ba736eb18;p=firefly-linux-kernel-4.4.55.git ppp: deflate: never return len larger than output buffer When we've run out of space in the output buffer to store more data, we will call zlib_deflate with a NULL output buffer until we've consumed remaining input. When this happens, olen contains the size the output buffer would have consumed iff we'd have had enough room. This can later cause skb_over_panic when ppp_generic skb_put()s the returned length. Reported-by: Iain Douglas Signed-off-by: Florian Westphal Signed-off-by: David S. Miller --- diff --git a/drivers/net/ppp/ppp_deflate.c b/drivers/net/ppp/ppp_deflate.c index 602c625d95d5..b5edc7f96a39 100644 --- a/drivers/net/ppp/ppp_deflate.c +++ b/drivers/net/ppp/ppp_deflate.c @@ -246,7 +246,7 @@ static int z_compress(void *arg, unsigned char *rptr, unsigned char *obuf, /* * See if we managed to reduce the size of the packet. */ - if (olen < isize) { + if (olen < isize && olen <= osize) { state->stats.comp_bytes += olen; state->stats.comp_packets++; } else {