revert broken PPPOE changes until they're fixed in Linus's tree. drivers/net/ppp_generic.c | 63 ++++++++++++++++------------------------------ drivers/net/pppoe.c | 39 +++++----------------------- 2 files changed, 30 insertions(+), 72 deletions(-) diff -puN drivers/net/ppp_generic.c~pppoe-revert drivers/net/ppp_generic.c --- 25/drivers/net/ppp_generic.c~pppoe-revert 2003-06-26 17:33:13.000000000 -0700 +++ 25-akpm/drivers/net/ppp_generic.c 2003-06-26 17:33:13.000000000 -0700 @@ -1348,18 +1348,11 @@ ppp_input(struct ppp_channel *chan, stru struct channel *pch = chan->ppp; int proto; - if (pch == 0) - goto drop; - - /* need to have PPP header */ - if (!pskb_may_pull(skb, 2)) { - if (pch->ppp) { - ++pch->ppp->stats.rx_length_errors; - ppp_receive_error(pch->ppp); - } - goto drop; + if (pch == 0 || skb->len == 0) { + kfree_skb(skb); + return; } - + proto = PPP_PROTO(skb); read_lock_bh(&pch->upl); if (pch->ppp == 0 || proto >= 0xc000 || proto == PPP_CCPFRAG) { @@ -1374,10 +1367,6 @@ ppp_input(struct ppp_channel *chan, stru ppp_do_recv(pch->ppp, skb, pch); } read_unlock_bh(&pch->upl); - return; - drop: - kfree_skb(skb); - return; } /* Put a 0-length skb in the receive queue as an error indication */ @@ -1409,13 +1398,23 @@ ppp_input_error(struct ppp_channel *chan static void ppp_receive_frame(struct ppp *ppp, struct sk_buff *skb, struct channel *pch) { + if (skb->len >= 2) { #ifdef CONFIG_PPP_MULTILINK - /* XXX do channel-level decompression here */ - if (PPP_PROTO(skb) == PPP_MP) - ppp_receive_mp_frame(ppp, skb, pch); - else + /* XXX do channel-level decompression here */ + if (PPP_PROTO(skb) == PPP_MP) + ppp_receive_mp_frame(ppp, skb, pch); + else #endif /* CONFIG_PPP_MULTILINK */ - ppp_receive_nonmp_frame(ppp, skb); + ppp_receive_nonmp_frame(ppp, skb); + return; + } + + if (skb->len > 0) + /* note: a 0-length skb is used as an error indication */ + ++ppp->stats.rx_length_errors; + + kfree_skb(skb); + ppp_receive_error(ppp); } static void @@ -1447,8 +1446,7 @@ ppp_receive_nonmp_frame(struct ppp *ppp, /* decompress VJ compressed packets */ if (ppp->vj == 0 || (ppp->flags & SC_REJ_COMP_TCP)) goto err; - - if (skb_tailroom(skb) < 124 || skb_is_nonlinear(skb) ) { + if (skb_tailroom(skb) < 124) { /* copy to a new sk_buff with more tailroom */ ns = dev_alloc_skb(skb->len + 128); if (ns == 0) { @@ -1476,13 +1474,6 @@ ppp_receive_nonmp_frame(struct ppp *ppp, case PPP_VJC_UNCOMP: if (ppp->vj == 0 || (ppp->flags & SC_REJ_COMP_TCP)) goto err; - - /* Until we fix the decompressor need to make sure - * data portion is linear. - */ - if (!pskb_may_pull(skb, skb->len)) - goto err; - if (slhc_remember(ppp->vj, skb->data + 2, skb->len - 2) <= 0) { printk(KERN_ERR "PPP: VJ uncompressed error\n"); goto err; @@ -1560,12 +1551,6 @@ ppp_decompress_frame(struct ppp *ppp, st struct sk_buff *ns; int len; - /* Until we fix all the decompressor's need to make sure - * data portion is linear. - */ - if (!pskb_may_pull(skb, skb->len)) - goto err; - if (proto == PPP_COMP) { ns = dev_alloc_skb(ppp->mru + PPP_HDRLEN); if (ns == 0) { @@ -1618,7 +1603,7 @@ ppp_receive_mp_frame(struct ppp *ppp, st struct list_head *l; int mphdrlen = (ppp->flags & SC_MP_SHORTSEQ)? MPHDRLEN_SSN: MPHDRLEN; - if (!pskb_may_pull(skb, mphdrlen + 1) || ppp->mrru == 0) + if (skb->len < mphdrlen + 1 || ppp->mrru == 0) goto err; /* no good, throw it away */ /* Decode sequence number and begin/end bits */ @@ -2036,7 +2021,7 @@ ppp_ccp_peek(struct ppp *ppp, struct sk_ unsigned char *dp = skb->data + 2; int len; - if (!pskb_may_pull(skb, CCP_HDRLEN + 2) + if (skb->len < CCP_HDRLEN + 2 || skb->len < (len = CCP_LENGTH(dp)) + 2) return; /* too short */ @@ -2071,10 +2056,6 @@ ppp_ccp_peek(struct ppp *ppp, struct sk_ case CCP_CONFACK: if ((ppp->flags & (SC_CCP_OPEN | SC_CCP_UP)) != SC_CCP_OPEN) break; - - if (!pskb_may_pull(skb, len)) - break; - dp += CCP_HDRLEN; len -= CCP_HDRLEN; if (len < CCP_OPT_MINLEN || len < CCP_OPT_LENGTH(dp)) diff -puN drivers/net/pppoe.c~pppoe-revert drivers/net/pppoe.c --- 25/drivers/net/pppoe.c~pppoe-revert 2003-06-26 17:33:13.000000000 -0700 +++ 25-akpm/drivers/net/pppoe.c 2003-06-26 17:33:13.000000000 -0700 @@ -333,11 +333,7 @@ static int pppoe_rcv_core(struct sock *s struct pppox_opt *relay_po = NULL; if (sk->sk_state & PPPOX_BOUND) { - struct pppoe_hdr *ph = (struct pppoe_hdr *) skb->nh.raw; - int len = ntohs(ph->length); skb_pull(skb, sizeof(struct pppoe_hdr)); - skb_trim(skb, len); - ppp_input(&po->chan, skb); } else if (sk->sk_state & PPPOX_RELAY) { relay_po = get_item_by_addr(&po->pppoe_relay); @@ -375,22 +371,17 @@ static int pppoe_rcv(struct sk_buff *skb struct packet_type *pt) { - struct pppoe_hdr *ph; + struct pppoe_hdr *ph = (struct pppoe_hdr *) skb->nh.raw; struct pppox_opt *po; - struct sock *sk; + struct sock *sk ; int ret; - if (!pskb_may_pull(skb, sizeof(struct pppoe_hdr))) - goto drop; - - if (!(skb = skb_share_check(skb, GFP_ATOMIC))) - goto out; - - ph = (struct pppoe_hdr *) skb->nh.raw; - po = get_item((unsigned long) ph->sid, skb->mac.ethernet->h_source); - if (!po) - goto drop; + + if (!po) { + kfree_skb(skb); + return NET_RX_DROP; + } sk = po->sk; bh_lock_sock(sk); @@ -407,10 +398,6 @@ static int pppoe_rcv(struct sk_buff *skb sock_put(sk); return ret; -drop: - kfree_skb(skb); -out: - return NET_RX_DROP; } /************************************************************************ @@ -424,16 +411,9 @@ static int pppoe_disc_rcv(struct sk_buff struct packet_type *pt) { - struct pppoe_hdr *ph; + struct pppoe_hdr *ph = (struct pppoe_hdr *) skb->nh.raw; struct pppox_opt *po; - if (!pskb_may_pull(skb, sizeof(struct pppoe_hdr))) - goto abort; - - if (!(skb = skb_share_check(skb, GFP_ATOMIC))) - goto out; - - ph = (struct pppoe_hdr *) skb->nh.raw; if (ph->code != PADT_CODE) goto abort; @@ -461,20 +441,17 @@ static int pppoe_disc_rcv(struct sk_buff abort: kfree_skb(skb); -out: return NET_RX_SUCCESS; /* Lies... :-) */ } static struct packet_type pppoes_ptype = { .type = __constant_htons(ETH_P_PPP_SES), .func = pppoe_rcv, - .data = (void *)1, }; static struct packet_type pppoed_ptype = { .type = __constant_htons(ETH_P_PPP_DISC), .func = pppoe_disc_rcv, - .data = (void *)1, }; /*********************************************************************** _