diff options
| author | Russ Gorby <russ.gorby@intel.com> | 2011-06-14 16:23:29 -0400 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@suse.de> | 2011-06-16 15:00:15 -0400 |
| commit | 57f2104f39995bac332ddc492fbf60aa28e0c35e (patch) | |
| tree | ec5cc4b87ae3e3abc2749ec5010ba668231a017e /drivers | |
| parent | 7263287af93db4d5cf324a30546f2143419b7900 (diff) | |
tty: n_gsm: improper skb_pull() use was leaking framed data
gsm_dlci_data_output_framed() was doing:
memcpy(dp, skb_pull(dlci->skb, len), len);
The problem is skb_pull() returns the post-increment data ptr
so the first chunk of dlci->skb->data is leaked.
Signed-off-by: Russ Gorby <russ.gorby@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'drivers')
| -rw-r--r-- | drivers/tty/n_gsm.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c index 7290394e3131..19b4ae052af8 100644 --- a/drivers/tty/n_gsm.c +++ b/drivers/tty/n_gsm.c | |||
| @@ -875,7 +875,8 @@ static int gsm_dlci_data_output_framed(struct gsm_mux *gsm, | |||
| 875 | *dp++ = last << 7 | first << 6 | 1; /* EA */ | 875 | *dp++ = last << 7 | first << 6 | 1; /* EA */ |
| 876 | len--; | 876 | len--; |
| 877 | } | 877 | } |
| 878 | memcpy(dp, skb_pull(dlci->skb, len), len); | 878 | memcpy(dp, dlci->skb->data, len); |
| 879 | skb_pull(dlci->skb, len); | ||
| 879 | __gsm_data_queue(dlci, msg); | 880 | __gsm_data_queue(dlci, msg); |
| 880 | if (last) | 881 | if (last) |
| 881 | dlci->skb = NULL; | 882 | dlci->skb = NULL; |