Unverified Commit 55d14eb3 authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!5542 round lts patches 

Merge Pull Request from: @ci-robot 
 
PR sync from: Zhengchao Shao <shaozhengchao@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/VJY6UONPAAHUPWZ2RQ437ZMC7KKEJMWT/ 
Round lts patches.

Tom Parkin (1):
  l2tp: pass correct message length to ip6_append_data

Wang Yufen (1):
  ipv6: Fix signed integer overflow in l2tp_ip6_sendmsg


-- 
2.34.1
 
https://gitee.com/openeuler/kernel/issues/I970CO 
 
Link:https://gitee.com/openeuler/kernel/pulls/5542

 

Reviewed-by: default avatarYue Haibing <yuehaibing@huawei.com>
Reviewed-by: default avatarLiu YongQiang <liuyongqiang13@huawei.com>
Signed-off-by: default avatarZhang Changzhong <zhangchangzhong@huawei.com>
parents ee193de8 780c8796

net/l2tp/l2tp_ip6.c

+4 −3
Original line number Diff line number Diff line
@@ -517,14 +517,15 @@ static int l2tp_ip6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) 
	struct ipcm6_cookie ipc6;

	int addr_len = msg->msg_namelen;

	int transhdrlen = 4; /* zero session-id */

	int ulen = len + transhdrlen;

	int ulen;

	int err;



	/* Rough check on arithmetic overflow,

	   better check is made in ip6_append_data().

	 */

	if (len > INT_MAX)

	if (len > INT_MAX - transhdrlen)

		return -EMSGSIZE;

	ulen = len + transhdrlen;



	/* Mirror BSD error message compatibility */

	if (msg->msg_flags & MSG_OOB)
@@ -648,7 +649,7 @@ static int l2tp_ip6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) 


back_from_confirm:

	lock_sock(sk);

	ulen = len + skb_queue_empty(&sk->sk_write_queue) ? transhdrlen : 0;

	ulen = len + (skb_queue_empty(&sk->sk_write_queue) ? transhdrlen : 0);

	err = ip6_append_data(sk, ip_generic_getfrag, msg,

			      ulen, transhdrlen, &ipc6,

			      &fl6, (struct rt6_info *)dst,