ppp: deflate: never return len larger than output buffer

[ Upstream commit e2a4800e75780ccf4e6c2487f82b688ba736eb18 ] When we've run out of space in the output buffer to store more data, we will call zlib_deflate with a NULL output buffer until we've consumed remaining input. When this happens, olen contains the size the output buffer would have consumed iff we'd have had enough room. This can later cause skb_over_panic when ppp_generic skb_put()s the returned length. Reported-by: Iain Douglas <centos@1n6.org.uk> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Florian Westphal <fw@strlen.de> 2015-01-28 10:56:04 +0100
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2015-02-26 17:50:12 -0800
commit: 8f10d6cc7a808ef54e5f211764e9f6f250a7b6eb (patch)
tree: 4a30c7d58a3f670e13627d4a0bb6f9660203b072
parent: 94caec8ce77522122b2644e4ac1cd7b0d90405d9 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/net/ppp/ppp_deflate.c b/drivers/net/ppp/ppp_deflate.c
index 602c625d95d5..b5edc7f96a39 100644
--- a/drivers/net/ppp/ppp_deflate.c
+++ b/drivers/net/ppp/ppp_deflate.c
@@ -246,7 +246,7 @@ static int z_compress(void *arg, unsigned char *rptr, unsigned char *obuf,
 	/*
 	 * See if we managed to reduce the size of the packet.
 	 */
-	if (olen < isize) {
+	if (olen < isize && olen <= osize) {
 		state->stats.comp_bytes += olen;
 		state->stats.comp_packets++;
 	} else {
author	Florian Westphal <fw@strlen.de>	2015-01-28 10:56:04 +0100
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2015-02-26 17:50:12 -0800
commit	8f10d6cc7a808ef54e5f211764e9f6f250a7b6eb (patch)
tree	4a30c7d58a3f670e13627d4a0bb6f9660203b072
parent	94caec8ce77522122b2644e4ac1cd7b0d90405d9 (diff)