ipc: fix potential oops when src msg > 4k w/ MSG_COPY

If the src msg is > 4k, then dest->next points to the
next allocated segment; resetting it just prior to dereferencing
is bad.

Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Acked-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
Peter Hurley 2013-03-08 12:43:26 -08:00 committed by Linus Torvalds
parent 47b3bc9073
commit e1082f45f1

View File

@ -117,9 +117,6 @@ struct msg_msg *copy_msg(struct msg_msg *src, struct msg_msg *dst)
if (alen > DATALEN_MSG)
alen = DATALEN_MSG;
dst->next = NULL;
dst->security = NULL;
memcpy(dst + 1, src + 1, alen);
len -= alen;