1 files changed, 41 insertions, 0 deletions

diff --git a/0038-ipv6-Fix-signed-integer-overflow-in-l2tp_ip6_sendmsg.patch b/0038-ipv6-Fix-signed-integer-overflow-in-l2tp_ip6_sendmsg.patch
new file mode 100644
index 000000000000..9b97d4a050b7
--- /dev/null
+++ b/0038-ipv6-Fix-signed-integer-overflow-in-l2tp_ip6_sendmsg.patch
@@ -0,0 +1,41 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Wang Yufen <wangyufen@huawei.com>
+Date: Tue, 7 Jun 2022 20:00:28 +0800
+Subject: [PATCH] ipv6: Fix signed integer overflow in l2tp_ip6_sendmsg
+
+[ Upstream commit f638a84afef3dfe10554c51820c16e39a278c915 ]
+
+When len >= INT_MAX - transhdrlen, ulen = len + transhdrlen will be
+overflow. To fix, we can follow what udpv6 does and subtract the
+transhdrlen from the max.
+
+Signed-off-by: Wang Yufen <wangyufen@huawei.com>
+Link: https://lore.kernel.org/r/20220607120028.845916-2-wangyufen@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/l2tp/l2tp_ip6.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
+index 96f975777438f7f03614dbfa0c1a978822b0687b..d54dbd01d86f1e949c9a564221849caeeca0bfd5 100644
+--- a/net/l2tp/l2tp_ip6.c
++++ b/net/l2tp/l2tp_ip6.c
+@@ -502,14 +502,15 @@ static int l2tp_ip6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
+ 	struct ipcm6_cookie ipc6;
+ 	int addr_len = msg->msg_namelen;
+ 	int transhdrlen = 4; /* zero session-id */
+-	int ulen = len + transhdrlen;
++	int ulen;
+ 	int err;
+ 
+ 	/* Rough check on arithmetic overflow,
+ 	 * better check is made in ip6_append_data().
+ 	 */
+-	if (len > INT_MAX)
++	if (len > INT_MAX - transhdrlen)
+ 		return -EMSGSIZE;
++	ulen = len + transhdrlen;
+ 
+ 	/* Mirror BSD error message compatibility */
+ 	if (msg->msg_flags & MSG_OOB)