ipc: fix potential oops when src msg > 4k w/ MSG_COPY

If the src msg is > 4k, then dest->next points to the next allocated segment; resetting it just prior to dereferencing is bad. Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Acked-by: Stanislav Kinsbursky <skinsbursky@parallels.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

ipc: fix potential oops when src msg > 4k w/ MSG_COPY
If the src msg is > 4k, then dest->next points to the next allocated segment; resetting it just prior to dereferencing is bad. Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Acked-by: Stanislav Kinsbursky <skinsbursky@parallels.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
e1082f45 · Peter Hurley · Linus Torvalds · 47b3bc90 · e1082f45
Commit e1082f45 authored Mar 08, 2013 by Peter Hurley Committed by Linus Torvalds Mar 08, 2013
Hide whitespace changes
Inline Side-by-side

Showing with 0 additions and 3 deletions

ipc/msgutil.c ipc/msgutil.c +0 -3

No files found.
--- a/ipc/msgutil.c
+++ b/ipc/msgutil.c
@@ -117,9 +117,6 @@ struct msg_msg *copy_msg(struct msg_msg *src, struct msg_msg *dst)
 	if (alen > DATALEN_MSG)
 		alen = DATALEN_MSG;
-	dst->next = NULL;
-	dst->security = NULL;
 	memcpy(dst + 1, src + 1, alen);
 	len -= alen;