diff options
| author | Lorenzo Bianconi <lorenzo.bianconi@redhat.com> | 2018-01-16 23:01:55 +0100 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2018-01-19 15:00:49 -0500 |
| commit | 62e7b6a57c7b9bf3c6fd99418eeec05b08a85c38 (patch) | |
| tree | 670832c4df1db3f15d1b51de9875f4e4a5dd0428 /security/device_cgroup.c | |
| parent | dfffc97d0e196c33452a6bce5a78e33786247d23 (diff) | |
| download | linux-stable-62e7b6a57c7b9bf3c6fd99418eeec05b08a85c38.tar.gz linux-stable-62e7b6a57c7b9bf3c6fd99418eeec05b08a85c38.tar.bz2 linux-stable-62e7b6a57c7b9bf3c6fd99418eeec05b08a85c38.zip | |
l2tp: remove l2specific_len dependency in l2tp_core
Remove l2specific_len dependency while building l2tpv3 header or
parsing the received frame since default L2-Specific Sublayer is
always four bytes long and we don't need to rely on a user supplied
value.
Moreover in l2tp netlink code there are no sanity checks to
enforce the relation between l2specific_len and l2specific_type,
so sending a malformed netlink message is possible to set
l2specific_type to L2TP_L2SPECTYPE_DEFAULT (or even
L2TP_L2SPECTYPE_NONE) and set l2specific_len to a value greater than
4 leaking memory on the wire and sending corrupted frames.
Reviewed-by: Guillaume Nault <g.nault@alphalink.fr>
Tested-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'security/device_cgroup.c')
0 files changed, 0 insertions, 0 deletions