From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Wang Yufen <wangyufen@huawei.com>,
Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>,
davem@davemloft.net, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.19 16/18] ipv6: Fix signed integer overflow in l2tp_ip6_sendmsg
Date: Mon, 13 Jun 2022 22:09:39 -0400 [thread overview]
Message-ID: <20220614020941.1100702-16-sashal@kernel.org> (raw)
In-Reply-To: <20220614020941.1100702-1-sashal@kernel.org>
From: Wang Yufen <wangyufen@huawei.com>
[ Upstream commit f638a84afef3dfe10554c51820c16e39a278c915 ]
When len >= INT_MAX - transhdrlen, ulen = len + transhdrlen will be
overflow. To fix, we can follow what udpv6 does and subtract the
transhdrlen from the max.
Signed-off-by: Wang Yufen <wangyufen@huawei.com>
Link: https://lore.kernel.org/r/20220607120028.845916-2-wangyufen@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/l2tp/l2tp_ip6.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
index 2ff25c445b82..9dae10d8880c 100644
--- a/net/l2tp/l2tp_ip6.c
+++ b/net/l2tp/l2tp_ip6.c
@@ -519,14 +519,15 @@ static int l2tp_ip6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
struct ipcm6_cookie ipc6;
int addr_len = msg->msg_namelen;
int transhdrlen = 4; /* zero session-id */
- int ulen = len + transhdrlen;
+ int ulen;
int err;
/* Rough check on arithmetic overflow,
better check is made in ip6_append_data().
*/
- if (len > INT_MAX)
+ if (len > INT_MAX - transhdrlen)
return -EMSGSIZE;
+ ulen = len + transhdrlen;
/* Mirror BSD error message compatibility */
if (msg->msg_flags & MSG_OOB)
--
2.35.1
next prev parent reply other threads:[~2022-06-14 2:24 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-14 2:09 [PATCH AUTOSEL 4.19 01/18] powerpc/kasan: Silence KASAN warnings in __get_wchan() Sasha Levin
2022-06-14 2:09 ` Sasha Levin
2022-06-14 2:09 ` [PATCH AUTOSEL 4.19 02/18] ASoC: cs42l52: Fix TLV scales for mixer controls Sasha Levin
2022-06-14 2:09 ` Sasha Levin
2022-06-14 2:09 ` [PATCH AUTOSEL 4.19 03/18] ASoC: cs53l30: Correct number of volume levels on SX controls Sasha Levin
2022-06-14 2:09 ` Sasha Levin
2022-06-14 2:09 ` [PATCH AUTOSEL 4.19 04/18] ASoC: cs42l52: Correct TLV for Bypass Volume Sasha Levin
2022-06-14 2:09 ` Sasha Levin
2022-06-14 2:09 ` [PATCH AUTOSEL 4.19 05/18] ASoC: cs42l56: Correct typo in minimum level for SX volume controls Sasha Levin
2022-06-14 2:09 ` Sasha Levin
2022-06-14 2:09 ` [PATCH AUTOSEL 4.19 06/18] ata: libata-core: fix NULL pointer deref in ata_host_alloc_pinfo() Sasha Levin
2022-06-14 2:09 ` [PATCH AUTOSEL 4.19 07/18] ASoC: wm8962: Fix suspend while playing music Sasha Levin
2022-06-14 2:09 ` Sasha Levin
2022-06-14 2:09 ` [PATCH AUTOSEL 4.19 08/18] ASoC: es8328: Fix event generation for deemphasis control Sasha Levin
2022-06-14 2:09 ` Sasha Levin
2022-06-14 2:09 ` [PATCH AUTOSEL 4.19 09/18] ASoC: wm_adsp: Fix event generation for wm_adsp_fw_put() Sasha Levin
2022-06-14 2:09 ` Sasha Levin
2022-06-14 2:09 ` [PATCH AUTOSEL 4.19 10/18] scsi: vmw_pvscsi: Expand vcpuHint to 16 bits Sasha Levin
2022-06-14 2:09 ` [PATCH AUTOSEL 4.19 11/18] scsi: lpfc: Fix port stuck in bypassed state after LIP in PT2PT topology Sasha Levin
2022-06-14 2:09 ` [PATCH AUTOSEL 4.19 12/18] scsi: ipr: Fix missing/incorrect resource cleanup in error case Sasha Levin
2022-06-14 2:09 ` [PATCH AUTOSEL 4.19 13/18] scsi: pmcraid: Fix missing " Sasha Levin
2022-06-14 2:09 ` [PATCH AUTOSEL 4.19 14/18] virtio-mmio: fix missing put_device() when vm_cmdline_parent registration failed Sasha Levin
2022-06-14 2:09 ` Sasha Levin
2022-06-14 2:09 ` [PATCH AUTOSEL 4.19 15/18] nfc: nfcmrvl: Fix memory leak in nfcmrvl_play_deferred Sasha Levin
2022-06-14 2:09 ` Sasha Levin [this message]
2022-06-14 2:09 ` [PATCH AUTOSEL 4.19 17/18] net: ethernet: mtk_eth_soc: fix misuse of mem alloc interface netdev[napi]_alloc_frag Sasha Levin
2022-06-14 2:09 ` Sasha Levin
2022-06-14 2:09 ` Sasha Levin
2022-06-14 2:09 ` [PATCH AUTOSEL 4.19 18/18] netfs: gcc-12: temporarily disable '-Wattribute-warning' for now Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220614020941.1100702-16-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=davem@davemloft.net \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=wangyufen@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.