l2tp: Fix potential memory corruption in pppol2tp_recvmsg()

This patch fixes a potential memory corruption in
pppol2tp_recvmsg(). If skb->len is bigger than the caller's buffer
length, memcpy_toiovec() will go into unintialized data on the kernel
heap, interpret it as an iovec and start modifying memory.

The fix is to change the memcpy_toiovec() call to
skb_copy_datagram_iovec() so that paged packets (rare for PPPOL2TP)
are handled properly. Also check that the caller's buffer is big
enough for the data and set the MSG_TRUNC flag if it is not so.

Reported-by: Ilja <ilja@netric.org>
Signed-off-by: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/drivers/net/pppol2tp.c b/drivers/net/pppol2tp.c
index 70cfdb46aa27422d61e72508c840004dfc740c22..f9298827a76caa07f8508d4179b9b312cf13fb72 100644 (file)
--- a/drivers/net/pppol2tp.c
+++ b/drivers/net/pppol2tp.c
@@ -783,14 +783,18 @@ static int pppol2tp_recvmsg(struct kiocb *iocb, struct socket *sock,
        err = 0;
        skb = skb_recv_datagram(sk, flags & ~MSG_DONTWAIT,
                                flags & MSG_DONTWAIT, &err);
-       if (skb) {
-               err = memcpy_toiovec(msg->msg_iov, (unsigned char *) skb->data,
-                                    skb->len);
-               if (err < 0)
-                       goto do_skb_free;
-               err = skb->len;
-       }
-do_skb_free:
+       if (!skb)
+               goto end;
+
+       if (len > skb->len)
+               len = skb->len;
+       else if (len < skb->len)
+               msg->msg_flags |= MSG_TRUNC;
+
+       err = skb_copy_datagram_iovec(skb, 0, msg->msg_iov, len);
+       if (likely(err == 0))
+               err = len;
+
        kfree_skb(skb);
 end:
        return err;