diff options
author | Marcel Holtmann <holtmann@redhat.com> | 2006-12-19 23:51:24 +0100 |
---|---|---|
committer | Willy Tarreau <w@1wt.eu> | 2006-12-21 23:41:50 +0100 |
commit | 05dca9b77f99d80cf615075624666106d5b61727 (patch) | |
tree | 632065a7afbe34173926ab480aa4ac0863ff5dd9 | |
parent | 00262a7c5cb96dce28751b5ff55118b4a3c25e09 (diff) | |
download | linux-2.4-05dca9b77f99d80cf615075624666106d5b61727.tar.gz |
[PATCH] Call init_timer() for ISDN PPP CCP reset state timer (CVE-2006-5749)
The function isdn_ppp_ccp_reset_alloc_state() sets ->timer.function
and ->timer.data and later on calls add_timer() with no init_timer()
ever done. The call of init_timer() is needed, because otherwise the
call of add_timer() will result in an instant death.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
-rw-r--r-- | drivers/isdn/isdn_ppp.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/drivers/isdn/isdn_ppp.c b/drivers/isdn/isdn_ppp.c index 393ca44c917dd1..bc3ef28e88c322 100644 --- a/drivers/isdn/isdn_ppp.c +++ b/drivers/isdn/isdn_ppp.c @@ -2335,6 +2335,7 @@ static struct ippp_ccp_reset_state *isdn_ppp_ccp_reset_alloc_state(struct ippp_s rs->state = CCPResetIdle; rs->is = is; rs->id = id; + init_timer(&rs->timer); rs->timer.data = (unsigned long)rs; rs->timer.function = isdn_ppp_ccp_timer_callback; is->reset->rs[id] = rs; |