From 05dca9b77f99d80cf615075624666106d5b61727 Mon Sep 17 00:00:00 2001
From: Marcel Holtmann <holtmann@redhat.com>
Date: Tue, 19 Dec 2006 23:51:24 +0100
Subject: [PATCH] Call init_timer() for ISDN PPP CCP reset state timer
 (CVE-2006-5749)

The function isdn_ppp_ccp_reset_alloc_state() sets ->timer.function
and ->timer.data and later on calls add_timer() with no init_timer()
ever done. The call of init_timer() is needed, because otherwise the
call of add_timer() will result in an instant death.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
---
 drivers/isdn/isdn_ppp.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/isdn/isdn_ppp.c b/drivers/isdn/isdn_ppp.c
index 393ca44c917dd..bc3ef28e88c32 100644
--- a/drivers/isdn/isdn_ppp.c
+++ b/drivers/isdn/isdn_ppp.c
@@ -2335,6 +2335,7 @@ static struct ippp_ccp_reset_state *isdn_ppp_ccp_reset_alloc_state(struct ippp_s
 		rs->state = CCPResetIdle;
 		rs->is = is;
 		rs->id = id;
+		init_timer(&rs->timer);
 		rs->timer.data = (unsigned long)rs;
 		rs->timer.function = isdn_ppp_ccp_timer_callback;
 		is->reset->rs[id] = rs;
-- 
cgit 1.2.3-korg