Commit 6b6707a5 authored Jun 10, 2008 by James Chapman Committed by David S. Miller Jun 10, 2008

l2tp: Fix potential memory corruption in pppol2tp_recvmsg()



This patch fixes a potential memory corruption in
pppol2tp_recvmsg(). If skb->len is bigger than the caller's buffer
length, memcpy_toiovec() will go into unintialized data on the kernel
heap, interpret it as an iovec and start modifying memory.

The fix is to change the memcpy_toiovec() call to
skb_copy_datagram_iovec() so that paged packets (rare for PPPOL2TP)
are handled properly. Also check that the caller's buffer is big
enough for the data and set the MSG_TRUNC flag if it is not so.

Reported-by: Ilja <ilja@netric.org>
Signed-off-by: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent 2e761e05

drivers/net/pppol2tp.c

+12 −8

Original line number	Diff line number	Diff line
		@@ -783,14 +783,18 @@ static int pppol2tp_recvmsg(struct kiocb iocb, struct socket sock,
		err = 0;
		skb = skb_recv_datagram(sk, flags & ~MSG_DONTWAIT,
		flags & MSG_DONTWAIT, &err);
		if (skb) {
		err = memcpy_toiovec(msg->msg_iov, (unsigned char *) skb->data,
		skb->len);
		if (err < 0)
		goto do_skb_free;
		err = skb->len;
		}
		do_skb_free:
		if (!skb)
		goto end;

		if (len > skb->len)
		len = skb->len;
		else if (len < skb->len)
		msg->msg_flags \|= MSG_TRUNC;

		err = skb_copy_datagram_iovec(skb, 0, msg->msg_iov, len);
		if (likely(err == 0))
		err = len;

		kfree_skb(skb);
		end:
		return err;

Admin message