diff options
author | Al Viro <viro@ZenIV.linux.org.uk> | 2017-08-14 21:31:38 +0200 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2017-08-14 22:26:51 -0700 |
commit | 42b7305905be52e467bbc346b0f2f95ad44eb1a0 (patch) | |
tree | dc523c0b1f3b8b02f1ae3cfb43f216a79b781178 /net/sunrpc/auth_null.c | |
parent | e5645f51ba99738b0e5d708edf9c6454f33b9310 (diff) |
udp: fix linear skb reception with PEEK_OFF
copy_linear_skb() is broken; both of its callers actually
expect 'len' to be the amount we are trying to copy,
not the offset of the end.
Fix it keeping the meanings of arguments in sync with what the
callers (both of them) expect.
Also restore a saner behavior on EFAULT (i.e. preserving
the iov_iter position in case of failure):
The commit fd851ba9caa9 ("udp: harden copy_linear_skb()")
avoids the more destructive effect of the buggy
copy_linear_skb(), e.g. no more invalid memory access, but
said function still behaves incorrectly: when peeking with
offset it can fail with EINVAL instead of copying the
appropriate amount of memory.
Reported-by: Sasha Levin <alexander.levin@verizon.com>
Fixes: b65ac44674dd ("udp: try to avoid 2 cache miss on dequeue")
Fixes: fd851ba9caa9 ("udp: harden copy_linear_skb()")
Signed-off-by: Al Viro <viro@ZenIV.linux.org.uk>
Acked-by: Paolo Abeni <pabeni@redhat.com>
Tested-by: Sasha Levin <alexander.levin@verizon.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/sunrpc/auth_null.c')
0 files changed, 0 insertions, 0 deletions