Hi, On 6/2/22 20:12, Pavel Machek wrote: > Hi! > >> commit 4fbcc1a4cb20fe26ad0225679c536c80f1648221 upstream. >> >> It appears that there are some buffer overflows in EVT_TRANSACTION. >> This happens because the length parameters that are passed to memcpy >> come directly from skb->data and are not guarded in any way. >> >> Signed-off-by: Jordy Zomer <jordy@pwning.systems> >> Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@xxxxxxxxxxxxx> >> Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx> >> Signed-off-by: Denis Efremov <denis.e.efremov@xxxxxxxxxx> >> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> > > It seems that this patch causes an memory leak, transaction does not > seem to be freed in the error paths. > > (I also wonder if the skb should be freed in the error paths...?) > > Reported-by: <theflamefire89@xxxxxxxxx> Same for upstream code and it looks like the problem existed even before this patch. I'll prepare an upstream patch and cc it to stable. Thanks, Denis
