From: James Chapman <jchapman@katalix.com>
Date: Tue, 10 Jun 2008 19:35:00 +0000 (-0700)
Subject: l2tp: Fix potential memory corruption in pppol2tp_recvmsg()
X-Git-Tag: v2.6.26-rc6~13^2~10
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6b6707a50c7598a83820077393f8823ab791abf8;p=pandora-kernel.git

l2tp: Fix potential memory corruption in pppol2tp_recvmsg()

This patch fixes a potential memory corruption in
pppol2tp_recvmsg(). If skb->len is bigger than the caller's buffer
length, memcpy_toiovec() will go into unintialized data on the kernel
heap, interpret it as an iovec and start modifying memory.

The fix is to change the memcpy_toiovec() call to
skb_copy_datagram_iovec() so that paged packets (rare for PPPOL2TP)
are handled properly. Also check that the caller's buffer is big
enough for the data and set the MSG_TRUNC flag if it is not so.

Reported-by: Ilja <ilja@netric.org>
Signed-off-by: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---

Reading git-diff-tree failed