From ffd3cd28d95f08a79d60681f80410e15876e2711 Mon Sep 17 00:00:00 2001 From: "chrisw@osdl.org" Date: Fri, 11 Mar 2005 12:14:02 -0800 Subject: [PATCH] [PATCH] add net-tun-underflow-fix.patch --- 2.6.11.4/net-tun-underflow-fix.patch | 35 ++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 2.6.11.4/net-tun-underflow-fix.patch diff --git a/2.6.11.4/net-tun-underflow-fix.patch b/2.6.11.4/net-tun-underflow-fix.patch new file mode 100644 index 00000000000..8a7c348a6c3 --- /dev/null +++ b/2.6.11.4/net-tun-underflow-fix.patch @@ -0,0 +1,35 @@ +Date: Fri, 11 Mar 2005 09:52:05 -0800 +From: Stephen Hemminger +To: Greg KH , Chris Wright +Subject: [TUN]: Fix check for underflow + +http://bugme.osdl.org/show_bug.cgi?id=4279 +Summary: When I try to start vpnc the net/core/skbuff.c:91 crash + +This check is wrong, gcc optimizes it away: + + if ((len -= sizeof(pi)) > len) + return -EINVAL; + +This could be responsible for the BUG. If len is 2 or 3 and TUN_NO_PI +isn't set it underflows. alloc_skb() allocates len + 2, which is 0 or +1 byte. skb_reserve tries to reserve 2 bytes and things explode in +skb_put. + +[TUN]: Fix check for underflow + +Signed-off-by: Patrick McHardy +Signed-off-by: Chris Wright + +diff -Nru a/drivers/net/tun.c b/drivers/net/tun.c +--- a/drivers/net/tun.c 2005-03-04 19:41:56 +01:00 ++++ b/drivers/net/tun.c 2005-03-04 19:41:56 +01:00 +@@ -229,7 +229,7 @@ + size_t len = count; + + if (!(tun->flags & TUN_NO_PI)) { +- if ((len -= sizeof(pi)) > len) ++ if ((len -= sizeof(pi)) > count) + return -EINVAL; + + if(memcpy_fromiovec((void *)&pi, iv, sizeof(pi))) -- 2.47.3