Commit 3bf35eb3 authored by Guillaume Nault's avatar Guillaume Nault Committed by Greg Kroah-Hartman

l2tp: Fix PPP header erasure and memory leak

[ Upstream commit 55b92b7a ]

Copy user data after PPP framing header. This prevents erasure of the
added PPP header and avoids leaking two bytes of uninitialised memory
at the end of skb's data buffer.
Signed-off-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 991e73cc
...@@ -350,12 +350,12 @@ static int pppol2tp_sendmsg(struct kiocb *iocb, struct socket *sock, struct msgh ...@@ -350,12 +350,12 @@ static int pppol2tp_sendmsg(struct kiocb *iocb, struct socket *sock, struct msgh
skb_put(skb, 2); skb_put(skb, 2);
/* Copy user data into skb */ /* Copy user data into skb */
error = memcpy_fromiovec(skb->data, m->msg_iov, total_len); error = memcpy_fromiovec(skb_put(skb, total_len), m->msg_iov,
total_len);
if (error < 0) { if (error < 0) {
kfree_skb(skb); kfree_skb(skb);
goto error_put_sess_tun; goto error_put_sess_tun;
} }
skb_put(skb, total_len);
l2tp_xmit_skb(session, skb, session->hdr_len); l2tp_xmit_skb(session, skb, session->hdr_len);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment