diff options
Diffstat (limited to '0038-ipv6-Fix-signed-integer-overflow-in-l2tp_ip6_sendmsg.patch')
-rw-r--r-- | 0038-ipv6-Fix-signed-integer-overflow-in-l2tp_ip6_sendmsg.patch | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/0038-ipv6-Fix-signed-integer-overflow-in-l2tp_ip6_sendmsg.patch b/0038-ipv6-Fix-signed-integer-overflow-in-l2tp_ip6_sendmsg.patch new file mode 100644 index 000000000000..9b97d4a050b7 --- /dev/null +++ b/0038-ipv6-Fix-signed-integer-overflow-in-l2tp_ip6_sendmsg.patch @@ -0,0 +1,41 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Wang Yufen <wangyufen@huawei.com> +Date: Tue, 7 Jun 2022 20:00:28 +0800 +Subject: [PATCH] ipv6: Fix signed integer overflow in l2tp_ip6_sendmsg + +[ Upstream commit f638a84afef3dfe10554c51820c16e39a278c915 ] + +When len >= INT_MAX - transhdrlen, ulen = len + transhdrlen will be +overflow. To fix, we can follow what udpv6 does and subtract the +transhdrlen from the max. + +Signed-off-by: Wang Yufen <wangyufen@huawei.com> +Link: https://lore.kernel.org/r/20220607120028.845916-2-wangyufen@huawei.com +Signed-off-by: Jakub Kicinski <kuba@kernel.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + net/l2tp/l2tp_ip6.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c +index 96f975777438f7f03614dbfa0c1a978822b0687b..d54dbd01d86f1e949c9a564221849caeeca0bfd5 100644 +--- a/net/l2tp/l2tp_ip6.c ++++ b/net/l2tp/l2tp_ip6.c +@@ -502,14 +502,15 @@ static int l2tp_ip6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + struct ipcm6_cookie ipc6; + int addr_len = msg->msg_namelen; + int transhdrlen = 4; /* zero session-id */ +- int ulen = len + transhdrlen; ++ int ulen; + int err; + + /* Rough check on arithmetic overflow, + * better check is made in ip6_append_data(). + */ +- if (len > INT_MAX) ++ if (len > INT_MAX - transhdrlen) + return -EMSGSIZE; ++ ulen = len + transhdrlen; + + /* Mirror BSD error message compatibility */ + if (msg->msg_flags & MSG_OOB) |