From 57f2104f39995bac332ddc492fbf60aa28e0c35e Mon Sep 17 00:00:00 2001
From: Russ Gorby <russ.gorby@intel.com>
Date: Tue, 14 Jun 2011 13:23:29 -0700
Subject: tty: n_gsm: improper skb_pull() use was leaking framed data

gsm_dlci_data_output_framed() was doing:
memcpy(dp, skb_pull(dlci->skb, len), len);

The problem is skb_pull() returns the post-increment data ptr
so the first chunk of dlci->skb->data is leaked.

Signed-off-by: Russ Gorby <russ.gorby@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
 drivers/tty/n_gsm.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'drivers/tty')

diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c
index 7290394e3131..19b4ae052af8 100644
--- a/drivers/tty/n_gsm.c
+++ b/drivers/tty/n_gsm.c
@@ -875,7 +875,8 @@ static int gsm_dlci_data_output_framed(struct gsm_mux *gsm,
 		*dp++ = last << 7 | first << 6 | 1;	/* EA */
 		len--;
 	}
-	memcpy(dp, skb_pull(dlci->skb, len), len);
+	memcpy(dp, dlci->skb->data, len);
+	skb_pull(dlci->skb, len);
 	__gsm_data_queue(dlci, msg);
 	if (last)
 		dlci->skb = NULL;
-- 
cgit v1.2.3-59-g8ed1b