android/android_kernel_asus_sm8350
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ipc: fix potential oops when src msg > 4k w/ MSG_COPY

Browse Source 
If the src msg is > 4k, then dest->next points to the
next allocated segment; resetting it just prior to dereferencing
is bad.

Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Acked-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
Peter Hurley 2013-03-08 12:43:26 -08:00 committed by Linus Torvalds
parent 47b3bc9073
commit e1082f45f1
1 changed files with 0 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
ipc/msgutil.c
View File

@ -117,9 +117,6 @@ struct msg_msg *copy_msg(struct msg_msg *src, struct msg_msg *dst)
if (alen > DATALEN_MSG) if (alen > DATALEN_MSG)
alen = DATALEN_MSG; alen = DATALEN_MSG;
dst->next = NULL;
dst->security = NULL;
memcpy(dst + 1, src + 1, alen); memcpy(dst + 1, src + 1, alen);
len -= alen; len -= alen;