On Fri, 2014-03-28 at 10:29 -0400, Josh Boyer wrote:

Backport of upstream commit 36d5fe6a0007 to 3.13.y

nfqnl_zcopy can copy elements of the frags array between skbs, but it doesn't
orphan them.  Also, it doesn't handle errors, so this patch takes care of that
as well, and modify the caller accordingly.  skb_tx_error() is also added to
the callers so they will signal the failed delivery towards the creator of the
skb.

Fixes CVE-2014-2568.

Signed-off-by: Zoltan Kiss <redacted>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Josh Boyer <redacted>

[...]

FWIW, I applied the same change to Debian's 3.13.7-1, except for leaving
'from' as pointer-to-const.

Ben.

-- 
Ben Hutchings
friends: People who know you well, but like you anyway.