Unverified Commit 2ad5d68f authored Mar 11, 2024 by openeuler-ci-bot Committed by Gitee Mar 11, 2024

!5117 fix CVE-2023-52527

Merge Pull Request from: @ci-robot 
 
PR sync from: Zhengchao Shao <shaozhengchao@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/4T2CYKEUDMZH7R4E2N3GVLFODRTTM4S5/ 
fix CVE-2023-52527.

David Howells (1):
  ipv4, ipv6: Fix handling of transhdrlen in __ip{,6}_append_data()

Tom Parkin (1):
  l2tp: pass correct message length to ip6_append_data


-- 
2.34.1
 
https://gitee.com/src-openeuler/kernel/issues/I95B2G 
 
Link:https://gitee.com/openeuler/kernel/pulls/5117

 

Reviewed-by: Yue Haibing <yuehaibing@huawei.com>
Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>

parents 8c1d9cf9 98a6ab17

net/l2tp/l2tp_ip6.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -508,7 +508,6 @@ static int l2tp_ip6_sendmsg(struct sock sk, struct msghdr msg, size_t len)
		*/
		if (len > INT_MAX - transhdrlen)
		return -EMSGSIZE;
		ulen = len + transhdrlen;

		/* Mirror BSD error message compatibility */
		if (msg->msg_flags & MSG_OOB)
		@@ -629,6 +628,7 @@ static int l2tp_ip6_sendmsg(struct sock sk, struct msghdr msg, size_t len)

		back_from_confirm:
		lock_sock(sk);
		ulen = len + (skb_queue_empty(&sk->sk_write_queue) ? transhdrlen : 0);
		err = ip6_append_data(sk, ip_generic_getfrag, msg,
		ulen, transhdrlen, &ipc6,
		&fl6, (struct rt6_info *)dst,