Commit 867e9913 authored by Wang Yufen's avatar Wang Yufen Committed by Zhengchao Shao
Browse files

ipv6: Fix signed integer overflow in l2tp_ip6_sendmsg 

stable inclusion
from stable-v4.19.249
commit 6c4e3486d21173d60925ef52e512cae727b43d30
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I970CO

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=6c4e3486d21173d60925ef52e512cae727b43d30



--------------------------------

[ Upstream commit f638a84a ]

When len >= INT_MAX - transhdrlen, ulen = len + transhdrlen will be
overflow. To fix, we can follow what udpv6 does and subtract the
transhdrlen from the max.

Signed-off-by: default avatarWang Yufen <wangyufen@huawei.com>
Link: https://lore.kernel.org/r/20220607120028.845916-2-wangyufen@huawei.com


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Signed-off-by: default avatarZhengchao Shao <shaozhengchao@huawei.com>
parent ce7ba9ee
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please to comment