diff options
| author | Sabrina Dubroca <sd@queasysnail.net> | 2015-10-15 14:25:03 +0200 |
|---|---|---|
| committer | Jiri Slaby <jslaby@suse.cz> | 2015-10-26 13:36:01 +0100 |
| commit | 3e1ac3aafbd0cf1f7c81cb7099a8a1d0407e021d (patch) | |
| tree | d09c6fb8d433861dcc0d874fea2a72aa17e7af4d /net/ipv6/raw.c | |
| parent | 0072abfc723f192261b5817f1f058bfc46796d19 (diff) | |
| download | lwn-3e1ac3aafbd0cf1f7c81cb7099a8a1d0407e021d.tar.gz lwn-3e1ac3aafbd0cf1f7c81cb7099a8a1d0407e021d.zip | |
net: add length argument to skb_copy_and_csum_datagram_iovec
Without this length argument, we can read past the end of the iovec in
memcpy_toiovec because we have no way of knowing the total length of the
iovec's buffers.
This is needed for stable kernels where 89c22d8c3b27 ("net: Fix skb
csum races when peeking") has been backported but that don't have the
ioviter conversion, which is almost all the stable trees <= 3.18.
This also fixes a kernel crash for NFS servers when the client uses
-onfsvers=3,proto=udp to mount the export.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Reviewed-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Diffstat (limited to 'net/ipv6/raw.c')
| -rw-r--r-- | net/ipv6/raw.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c index 430067cb9210..0d51ebc176a7 100644 --- a/net/ipv6/raw.c +++ b/net/ipv6/raw.c @@ -489,7 +489,7 @@ static int rawv6_recvmsg(struct kiocb *iocb, struct sock *sk, goto csum_copy_err; err = skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied); } else { - err = skb_copy_and_csum_datagram_iovec(skb, 0, msg->msg_iov); + err = skb_copy_and_csum_datagram_iovec(skb, 0, msg->msg_iov, copied); if (err == -EINVAL) goto csum_copy_err; } |