| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20080610.123612.162337098.davem@davemloft.net> Date: Tue, 10 Jun 2008 12:36:12 -0700 (PDT) From: David Miller <davem@...emloft.net> To: jchapman@...alix.com Cc: netdev@...r.kernel.org, ilja@...ric.org Subject: Re: [PATCH net-2.6] L2TP: Fix potential memory corruption in pppol2tp_recvmsg() From: James Chapman <jchapman@...alix.com> Date: Tue, 10 Jun 2008 13:34:24 +0100 > This patch fixes a potential memory corruption in > pppol2tp_recvmsg(). If skb->len is bigger than the caller's buffer > length, memcpy_toiovec() will go into unintialized data on the kernel > heap, interpret it as an iovec and start modifying memory. > > The fix is to change the memcpy_toiovec() call to > skb_copy_datagram_iovec() so that paged packets (rare for PPPOL2TP) > are handled properly. Also check that the caller's buffer is big > enough for the data and set the MSG_TRUNC flag if it is not so. > > Reported-by: Ilja <ilja@...ric.org> > Signed-off-by: James Chapman <jchapman@...alix.com> Applied, thanks. Please see: http://marc.info/?l=linux-netdev&m=121262022428660&w=2 for a description of how I would like folks to format their commit header lines for networking changes nowadays. I fixed it up by hand for you this time. > A candidate for -stable? Yes, and I've queued it up for such. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists