diff options
author | Björn Bidar | 2022-06-24 20:03:01 +0300 |
---|---|---|
committer | Björn Bidar | 2022-06-25 16:46:45 +0300 |
commit | 657059c03d46120dea746abb196d9d622e21fe5f (patch) | |
tree | 2ae07d28cd858ef0cda12e3c8af27932d06c0fbb /0038-ipv6-Fix-signed-integer-overflow-in-l2tp_ip6_sendmsg.patch | |
parent | 034adcf2fd3311bba3f58b8575b0be699ab3bd70 (diff) | |
download | aur-657059c03d46120dea746abb196d9d622e21fe5f.tar.gz |
Update to 5.18.6.p2-1
- New upstream release based on 5.18.5
- Add MGLRU Zen patch
- Add linux-5.18.6 patches
- Move System.map from -headers into the base package to avoid
external modules having wrong bpf symbols when running optimized
builds. Fixes #5
- Remove M/m from CPUSUFFIXES_KBUILD and LCPU, fixes build failing
when selecting an optimized build architecture that is not genering.
Fixes #6.
Signed-off-by: Björn Bidar <bjorn.bidar@thaodan.de>
Diffstat (limited to '0038-ipv6-Fix-signed-integer-overflow-in-l2tp_ip6_sendmsg.patch')
-rw-r--r-- | 0038-ipv6-Fix-signed-integer-overflow-in-l2tp_ip6_sendmsg.patch | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/0038-ipv6-Fix-signed-integer-overflow-in-l2tp_ip6_sendmsg.patch b/0038-ipv6-Fix-signed-integer-overflow-in-l2tp_ip6_sendmsg.patch new file mode 100644 index 000000000000..9b97d4a050b7 --- /dev/null +++ b/0038-ipv6-Fix-signed-integer-overflow-in-l2tp_ip6_sendmsg.patch @@ -0,0 +1,41 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Wang Yufen <wangyufen@huawei.com> +Date: Tue, 7 Jun 2022 20:00:28 +0800 +Subject: [PATCH] ipv6: Fix signed integer overflow in l2tp_ip6_sendmsg + +[ Upstream commit f638a84afef3dfe10554c51820c16e39a278c915 ] + +When len >= INT_MAX - transhdrlen, ulen = len + transhdrlen will be +overflow. To fix, we can follow what udpv6 does and subtract the +transhdrlen from the max. + +Signed-off-by: Wang Yufen <wangyufen@huawei.com> +Link: https://lore.kernel.org/r/20220607120028.845916-2-wangyufen@huawei.com +Signed-off-by: Jakub Kicinski <kuba@kernel.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + net/l2tp/l2tp_ip6.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c +index 96f975777438f7f03614dbfa0c1a978822b0687b..d54dbd01d86f1e949c9a564221849caeeca0bfd5 100644 +--- a/net/l2tp/l2tp_ip6.c ++++ b/net/l2tp/l2tp_ip6.c +@@ -502,14 +502,15 @@ static int l2tp_ip6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + struct ipcm6_cookie ipc6; + int addr_len = msg->msg_namelen; + int transhdrlen = 4; /* zero session-id */ +- int ulen = len + transhdrlen; ++ int ulen; + int err; + + /* Rough check on arithmetic overflow, + * better check is made in ip6_append_data(). + */ +- if (len > INT_MAX) ++ if (len > INT_MAX - transhdrlen) + return -EMSGSIZE; ++ ulen = len + transhdrlen; + + /* Mirror BSD error message compatibility */ + if (msg->msg_flags & MSG_OOB) |