summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuillaume Nault <g.nault@alphalink.fr>2013-06-12 16:07:23 +0200
committerDavid S. Miller <davem@davemloft.net>2013-06-13 02:39:04 -0700
commit55b92b7a11690bc377b5d373872a6b650ae88e64 (patch)
tree514fe980a7da487b07d52f2821a90820e59026fa
parent4f5474e7fd68988cb11373fc698bf10b35b49e31 (diff)
downloadlinux-55b92b7a11690bc377b5d373872a6b650ae88e64.tar.gz
linux-55b92b7a11690bc377b5d373872a6b650ae88e64.tar.bz2
linux-55b92b7a11690bc377b5d373872a6b650ae88e64.zip
l2tp: Fix PPP header erasure and memory leak
Copy user data after PPP framing header. This prevents erasure of the added PPP header and avoids leaking two bytes of uninitialised memory at the end of skb's data buffer. Signed-off-by: Guillaume Nault <g.nault@alphalink.fr> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/l2tp/l2tp_ppp.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
index 637a341c1e2d..681c626068b4 100644
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -346,12 +346,12 @@ static int pppol2tp_sendmsg(struct kiocb *iocb, struct socket *sock, struct msgh
skb_put(skb, 2);
/* Copy user data into skb */
- error = memcpy_fromiovec(skb->data, m->msg_iov, total_len);
+ error = memcpy_fromiovec(skb_put(skb, total_len), m->msg_iov,
+ total_len);
if (error < 0) {
kfree_skb(skb);
goto error_put_sess_tun;
}
- skb_put(skb, total_len);
l2tp_xmit_skb(session, skb, session->hdr_len);