Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.9 / 6b6707a50c7598a83820077393f8823ab791abf8
commit6b6707a50c7598a83820077393f8823ab791abf8[log] [tgz]
authorJames Chapman <jchapman@katalix.com>Tue Jun 10 12:35:00 2008 -0700
committerDavid S. Miller <davem@davemloft.net>Tue Jun 10 12:35:00 2008 -0700
tree5a707de3b34eeaa2bad9b16d5ad006abe4a6d901
parent2e761e0532a784816e7e822dbaaece8c5d4be14d [diff]
l2tp: Fix potential memory corruption in pppol2tp_recvmsg()

This patch fixes a potential memory corruption in
pppol2tp_recvmsg(). If skb->len is bigger than the caller's buffer
length, memcpy_toiovec() will go into unintialized data on the kernel
heap, interpret it as an iovec and start modifying memory.

The fix is to change the memcpy_toiovec() call to
skb_copy_datagram_iovec() so that paged packets (rare for PPPOL2TP)
are handled properly. Also check that the caller's buffer is big
enough for the data and set the MSG_TRUNC flag if it is not so.

Reported-by: Ilja <ilja@netric.org>
Signed-off-by: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
1 file changed
tree: 5a707de3b34eeaa2bad9b16d5ad006abe4a6d901
  1. arch/
  2. block/
  3. crypto/
  4. Documentation/
  5. drivers/
  6. fs/
  7. include/
  8. init/
  9. ipc/
  10. kernel/
  11. lib/
  12. mm/
  13. net/
  14. samples/
  15. scripts/
  16. security/
  17. sound/
  18. usr/
  19. virt/
  20. .gitignore
  21. .mailmap
  22. COPYING
  23. CREDITS
  24. Kbuild
  25. MAINTAINERS
  26. Makefile
  27. README
  28. REPORTING-BUGS