aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMarcel Holtmann <marcel@holtmann.org>2007-01-04 01:53:41 +0100
committerAdrian Bunk <bunk@stusta.de>2007-01-04 01:53:41 +0100
commitbb3e712f45f05c380ee6efed0afd588ed3ce18fb (patch)
treeb9b5d52a97bb3df3f0e591a663c022e3fb0520fb
parent7c876d457b5c7e949032a4ac7aec64af0136d52a (diff)
Call init_timer() for ISDN PPP CCP reset state timer (CVE-2006-5749)
The function isdn_ppp_ccp_reset_alloc_state() sets ->timer.function and ->timer.data and later on calls add_timer() with no init_timer() ever done. Noted by Al Viro. Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Adrian Bunk <bunk@stusta.de>
-rw-r--r--drivers/isdn/i4l/isdn_ppp.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/drivers/isdn/i4l/isdn_ppp.c b/drivers/isdn/i4l/isdn_ppp.c
index 1a19a0f8942..b3f0e01f74d 100644
--- a/drivers/isdn/i4l/isdn_ppp.c
+++ b/drivers/isdn/i4l/isdn_ppp.c
@@ -2346,6 +2346,7 @@ static struct ippp_ccp_reset_state *isdn_ppp_ccp_reset_alloc_state(struct ippp_s
rs->state = CCPResetIdle;
rs->is = is;
rs->id = id;
+ init_timer(&rs->timer);
rs->timer.data = (unsigned long)rs;
rs->timer.function = isdn_ppp_ccp_timer_callback;
is->reset->rs[id] = rs;