| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20220607120028.845916-2-wangyufen@huawei.com>
Date: Tue, 7 Jun 2022 20:00:28 +0800
From: Wang Yufen <wangyufen@...wei.com>
To: <davem@...emloft.net>, <yoshfuji@...ux-ipv6.org>,
<dsahern@...nel.org>, <edumazet@...gle.com>, <kuba@...nel.org>,
<pabeni@...hat.com>, <ast@...nel.org>, <daniel@...earbox.net>,
<andrii@...nel.org>, <kafai@...com>, <songliubraving@...com>,
<yhs@...com>, <john.fastabend@...il.com>, <kpsingh@...nel.org>
CC: <netdev@...r.kernel.org>, <bpf@...r.kernel.org>
Subject: [PATCH net-next v5 2/2] ipv6: Fix signed integer overflow in l2tp_ip6_sendmsg
When len >= INT_MAX - transhdrlen, ulen = len + transhdrlen will be
overflow. To fix, we can follow what udpv6 does and subtract the
transhdrlen from the max.
Signed-off-by: Jakub Kicinski <kuba@...nel.org>
Signed-off-by: Wang Yufen <wangyufen@...wei.com>
---
net/l2tp/l2tp_ip6.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
index c6ff8bf9b55f..9dbd801ddb98 100644
--- a/net/l2tp/l2tp_ip6.c
+++ b/net/l2tp/l2tp_ip6.c
@@ -504,14 +504,15 @@ static int l2tp_ip6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
struct ipcm6_cookie ipc6;
int addr_len = msg->msg_namelen;
int transhdrlen = 4; /* zero session-id */
- int ulen = len + transhdrlen;
+ int ulen;
int err;
/* Rough check on arithmetic overflow,
* better check is made in ip6_append_data().
*/
- if (len > INT_MAX)
+ if (len > INT_MAX - transhdrlen)
return -EMSGSIZE;
+ ulen = len + transhdrlen;
/* Mirror BSD error message compatibility */
if (msg->msg_flags & MSG_OOB)
--
2.25.1
Powered by blists - more mailing lists