Commit e1082f45 authored Mar 08, 2013 by Peter Hurley Committed by Linus Torvalds Mar 08, 2013

ipc: fix potential oops when src msg > 4k w/ MSG_COPY



If the src msg is > 4k, then dest->next points to the
next allocated segment; resetting it just prior to dereferencing
is bad.

Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Acked-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

parent 47b3bc90

ipc/msgutil.c

+0 −3

Original line number	Diff line number	Diff line
		@@ -117,9 +117,6 @@ struct msg_msg copy_msg(struct msg_msg src, struct msg_msg *dst)
		if (alen > DATALEN_MSG)
		alen = DATALEN_MSG;

		dst->next = NULL;
		dst->security = NULL;

		memcpy(dst + 1, src + 1, alen);

		len -= alen;