diff options
author | Guillaume Nault <g.nault@alphalink.fr> | 2013-06-12 16:07:23 +0200 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2013-06-13 02:39:04 -0700 |
commit | 55b92b7a11690bc377b5d373872a6b650ae88e64 (patch) | |
tree | 514fe980a7da487b07d52f2821a90820e59026fa | |
parent | 4f5474e7fd68988cb11373fc698bf10b35b49e31 (diff) | |
download | linux-55b92b7a11690bc377b5d373872a6b650ae88e64.tar.gz linux-55b92b7a11690bc377b5d373872a6b650ae88e64.tar.bz2 linux-55b92b7a11690bc377b5d373872a6b650ae88e64.zip |
l2tp: Fix PPP header erasure and memory leak
Copy user data after PPP framing header. This prevents erasure of the
added PPP header and avoids leaking two bytes of uninitialised memory
at the end of skb's data buffer.
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/l2tp/l2tp_ppp.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c index 637a341c1e2d..681c626068b4 100644 --- a/net/l2tp/l2tp_ppp.c +++ b/net/l2tp/l2tp_ppp.c @@ -346,12 +346,12 @@ static int pppol2tp_sendmsg(struct kiocb *iocb, struct socket *sock, struct msgh skb_put(skb, 2); /* Copy user data into skb */ - error = memcpy_fromiovec(skb->data, m->msg_iov, total_len); + error = memcpy_fromiovec(skb_put(skb, total_len), m->msg_iov, + total_len); if (error < 0) { kfree_skb(skb); goto error_put_sess_tun; } - skb_put(skb, total_len); l2tp_xmit_skb(session, skb, session->hdr_len); |