From: Marcel Holtmann <marcel@holtmann.org>
Date: Thu, 4 Jan 2007 00:53:41 +0000 (+0100)
Subject: Call init_timer() for ISDN PPP CCP reset state timer (CVE-2006-5749)
X-Git-Tag: v2.6.16.38-rc1~37
X-Git-Url: https://git.karo-electronics.de/?a=commitdiff_plain;h=bb3e712f45f05c380ee6efed0afd588ed3ce18fb;p=karo-tx-linux.git

Call init_timer() for ISDN PPP CCP reset state timer (CVE-2006-5749)

The function isdn_ppp_ccp_reset_alloc_state() sets ->timer.function
and ->timer.data and later on calls add_timer() with no init_timer()
ever done.

Noted by Al Viro.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
---

diff --git a/drivers/isdn/i4l/isdn_ppp.c b/drivers/isdn/i4l/isdn_ppp.c
index 1a19a0f89428..b3f0e01f74da 100644
--- a/drivers/isdn/i4l/isdn_ppp.c
+++ b/drivers/isdn/i4l/isdn_ppp.c
@@ -2346,6 +2346,7 @@ static struct ippp_ccp_reset_state *isdn_ppp_ccp_reset_alloc_state(struct ippp_s
 		rs->state = CCPResetIdle;
 		rs->is = is;
 		rs->id = id;
+		init_timer(&rs->timer);
 		rs->timer.data = (unsigned long)rs;
 		rs->timer.function = isdn_ppp_ccp_timer_callback;
 		is->reset->rs[id] = rs;