From: Russ Gorby Date: Tue, 14 Jun 2011 20:23:29 +0000 (-0700) Subject: tty: n_gsm: improper skb_pull() use was leaking framed data X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=57f2104f39995bac332ddc492fbf60aa28e0c35e;p=GitHub%2FLineageOS%2Fandroid_kernel_motorola_exynos9610.git tty: n_gsm: improper skb_pull() use was leaking framed data gsm_dlci_data_output_framed() was doing: memcpy(dp, skb_pull(dlci->skb, len), len); The problem is skb_pull() returns the post-increment data ptr so the first chunk of dlci->skb->data is leaked. Signed-off-by: Russ Gorby Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c index 7290394e3131..19b4ae052af8 100644 --- a/drivers/tty/n_gsm.c +++ b/drivers/tty/n_gsm.c @@ -875,7 +875,8 @@ static int gsm_dlci_data_output_framed(struct gsm_mux *gsm, *dp++ = last << 7 | first << 6 | 1; /* EA */ len--; } - memcpy(dp, skb_pull(dlci->skb, len), len); + memcpy(dp, dlci->skb->data, len); + skb_pull(dlci->skb, len); __gsm_data_queue(dlci, msg); if (last) dlci->skb = NULL;