diff options
author | Russ Gorby <russ.gorby@intel.com> | 2011-06-14 13:23:29 -0700 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2011-06-16 12:00:15 -0700 |
commit | 57f2104f39995bac332ddc492fbf60aa28e0c35e (patch) | |
tree | ec5cc4b87ae3e3abc2749ec5010ba668231a017e /drivers/tty/n_gsm.c | |
parent | 7263287af93db4d5cf324a30546f2143419b7900 (diff) | |
download | kernel_samsung_aries-57f2104f39995bac332ddc492fbf60aa28e0c35e.zip kernel_samsung_aries-57f2104f39995bac332ddc492fbf60aa28e0c35e.tar.gz kernel_samsung_aries-57f2104f39995bac332ddc492fbf60aa28e0c35e.tar.bz2 |
tty: n_gsm: improper skb_pull() use was leaking framed data
gsm_dlci_data_output_framed() was doing:
memcpy(dp, skb_pull(dlci->skb, len), len);
The problem is skb_pull() returns the post-increment data ptr
so the first chunk of dlci->skb->data is leaked.
Signed-off-by: Russ Gorby <russ.gorby@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'drivers/tty/n_gsm.c')
-rw-r--r-- | drivers/tty/n_gsm.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c index 7290394..19b4ae0 100644 --- a/drivers/tty/n_gsm.c +++ b/drivers/tty/n_gsm.c @@ -875,7 +875,8 @@ static int gsm_dlci_data_output_framed(struct gsm_mux *gsm, *dp++ = last << 7 | first << 6 | 1; /* EA */ len--; } - memcpy(dp, skb_pull(dlci->skb, len), len); + memcpy(dp, dlci->skb->data, len); + skb_pull(dlci->skb, len); __gsm_data_queue(dlci, msg); if (last) dlci->skb = NULL; |